Reported

June 14, 2020

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

rgb (crates.io)

Type

INFO Unsound

Keywords

#type-confusion

Aliases

• CVE-2020-25016
• GHSA-g4rw-8m5q-6453

References

• https://github.com/kornelski/rust-rgb/issues/35

CVSS Score

9.1 CRITICAL

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Patched

• >=0.8.20

Unaffected

• <0.5.4

Description

Affected versions of rgb crate allow viewing and modifying data of any type T wrapped in RGB<T> as bytes, and do not correctly constrain RGB<T> and other wrapper structures to the types for which it is safe to do so.

Safety violation possible for a type wrapped in RGB<T> and similar wrapper structures:

• If T contains padding, viewing it as bytes may lead to exposure of contents of uninitialized memory.
• If T contains a pointer, modifying it as bytes may lead to dereferencing of arbitrary pointers.
• Any safety and/or validity invariants for T may be violated.

The issue was resolved by requiring all types wrapped in structures provided by RGB crate to implement an unsafe marker trait.

Advisory available under CC0-1.0 license.