RUSTSEC-2020-0032

StrcCtx deallocates a memory region that it doesn't own

Reported

August 20, 2020

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

alpm-rs (crates.io)

Type

INFO Unsound

Aliases

CVE-2020-35885
GHSA-qc4m-gc8r-mg8m

References

https://github.com/pigeonhands/rust-arch/issues/2

CVSS Score

9.8 CRITICAL

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

no patched versions

Description

StrcCtx deallocate a memory region that it doesn't own when StrcCtx is created without using StrcCtx::new. This can introduce memory safety issues such as double-free and use-after-free to client programs.

Advisory available under CC0-1.0 license.