Reported

February 18, 2021

Issued

March 2, 2021 (last modified: June 13, 2023)

Package

scratchpad (crates.io)

Type

Vulnerability

Categories

• memory-corruption

Keywords

#memory-safety #double-free

Aliases

• CVE-2021-28031
• GHSA-3qm2-rfqw-fmrw

References

• https://github.com/okready/scratchpad/issues/1

CVSS Score

9.8 CRITICAL

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

• >=1.3.1

Affected Functions

Version

scratchpad::SliceMoveSource::move_elements

• <1.3.1

Description

Affected versions of scratchpad used ptr::read to read elements while calling a user provided function f on them.

Since the pointer read duplicates ownership, a panic inside the user provided f function could cause a double free when unwinding.

The flaw was fixed in commit 891561bea by removing the unsafe block and using a plain iterator.

Advisory available under CC0-1.0 license.