Reported

January 10, 2021

Issued

January 20, 2021 (last modified: June 13, 2023)

Package

basic_dsp_matrix (crates.io)

Type

Vulnerability

Categories

• memory-corruption

Aliases

• CVE-2021-25906
• GHSA-fjr6-hm39-4cf9

References

• https://github.com/liebharc/basic_dsp/issues/47

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.9.2

Description

Affected versions of this crate did not guard against double drop while temporarily duplicating objects' ownership using ptr::read(). Upon panic in a user-provided function conversion, objects that are copied by ptr::read() are dropped twice, leading to memory corruption.

The flaw was corrected in v0.9.2 by using ManuallyDrop<T> to enclose objects that are to be temporarily duplicated.

Advisory available under CC0-1.0 license.