Reported

February 17, 2021

Issued

March 1, 2021 (last modified: June 13, 2023)

Package

truetype (crates.io)

Type

Vulnerability

Categories

• memory-exposure

Aliases

• CVE-2021-28030
• GHSA-v7q4-97x4-4qw2

References

• https://github.com/bodoni/truetype/issues/11

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

None

Availability Impact

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Patched

• >=0.30.1

Description

Affected versions of this crate passed an unininitialized buffer to a user-provided Read instance in Tape::take_bytes.

This can result in safe Read implementations reading from the uninitialized buffer leading to undefined behavior.

The flaw was corrected in commit 1f2dc7f37dd by removing the unsafe block and zero-initializing the buffer.

Advisory available under CC0-1.0 license.