HistoryEdit

RUSTSEC-2021-0037

Fix a use-after-free bug in diesels Sqlite backend

Issued
Package
diesel (crates.io)
Type
Vulnerability
Categories
Keywords
#use-after-free
Aliases
Details
https://github.com/diesel-rs/diesel/pull/2663
CVSS Score
9.8 CRITICAL
CVSS Details
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Patched
  • >=1.4.6
Keywords
#use-after-free
Affected Functions
Version
diesel::SqliteConnection::query_by_name
  • <1.4.6

Description

We've misused sqlite3_column_name. The SQLite documentation states that the following:

The returned string pointer is valid until either the prepared statement is destroyed by sqlite3_finalize() or until the statement is automatically reprepared by the first call to sqlite3_step() for a particular run or until the next call to sqlite3_column_name() or sqlite3_column_name16() on the same column.

As part of our query_by_name infrastructure we've first received all field names for the prepared statement and stored them as string slices for later use. After that we called sqlite3_step() for the first time, which invalids the pointer and therefore the stored string slice.