Reported

February 17, 2021

Issued

March 26, 2021 (last modified: June 13, 2023)

Package

uu_od (crates.io)

Type

Vulnerability

Categories

• memory-exposure

Aliases

• CVE-2021-29934
• GHSA-w9vv-q986-vj7x

References

• https://github.com/uutils/coreutils/issues/1729

CVSS Score

7.3 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Patched

• >=0.0.4

Description

Affected versions of this crate passed an uniniitalized buffer to a user-provided Read instance in PartialReader::read.

This can result in safe Read implementations reading from the uninitialized buffer leading to undefined behavior.

The flaw was fixed in commit 39d62c6 by zero-initializing the passed buffer.

Advisory available under CC0-1.0 license.