- Reported
-
- Issued
-
- Package
-
yottadb
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Keywords
-
#use-after-free
- Aliases
-
- References
-
- CVSS Score
- 9.8
CRITICAL
- CVSS Details
-
- Attack vector
- Network
- Attack complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Patched
-
- Affected Functions
- Version
yottadb::Key::sub_next_self_st-
yottadb::Key::sub_prev_self_st-
yottadb::KeyContext::sub_next_self_st-
yottadb::KeyContext::sub_prev_self_st-
Description
Affected versions of this crate had an unsound implementation which could pass
a pointer to freed memory to ydb_subscript_next_st and
ydb_subscript_prev_st if the variable and subscripts did not have enough
memory allocated on the first call to hold the next variable in the database.
For example, the following code had undefined behavior:
let mut key = Key::variable(String::from("a"));
Key::variable("averylongkeywithlotsofletters")
.set_st(YDB_NOTTP, Vec::new(), b"some val")
.unwrap();
key.sub_next_self_st(YDB_NOTTP, Vec::new()).unwrap();
yottadb has no reverse-dependencies on crates.io and there are no known
instances of this API being used incorrectly in practice. The fix is backwards
compatible.
The flaw was corrected by recalculating the pointer each time it was reallocated.
Advisory available under CC0-1.0
license.