HistoryEdit

RUSTSEC-2020-0012

Relies on undefined behavior of char::from_u32_unchecked

Issued
Package
os_str_bytes (crates.io)
Type
Vulnerability
Aliases
Details
https://github.com/dylni/os_str_bytes/pull/1
CVSS Score
7.5 HIGH
CVSS Details
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Patched
  • >=2.0.0
Affected OSes
  • windows

Description

The Windows implementation of this crate relied on the behavior of std::char::from_u32_unchecked when its safety clause is violated. Even though this worked with Rust versions up to 1.42 (at least), that behavior could change with any new Rust version, possibly leading a security issue.

The flaw was corrected in version 2.0.0.