Reported

September 27, 2020

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

dync (crates.io)

Type

INFO Unsound

Aliases

• CVE-2020-35903
• GHSA-qxjq-v4wf-ppvh

References

• https://github.com/elrnv/dync/issues/4

CVSS Score

5.5 MEDIUM

CVSS Details

Attack vector

Local

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.5.0

Description

VecCopy::data is created as a Vec of u8 but can be used to store and retrieve elements of different types leading to misaligned access.

The issue was resolved in v0.5.0 by replacing data being stored by Vec<u8> with a custom managed pointer. Elements are now stored and retrieved using types with proper alignment corresponding to original types.

Advisory available under CC0-1.0 license.