Reported

February 17, 2021

Issued

March 26, 2021 (last modified: June 13, 2023)

Package

uu_od (crates.io)

Type

Vulnerability

Categories

• memory-exposure

Aliases

• CVE-2021-29934
• GHSA-w9vv-q986-vj7x

References

• https://github.com/uutils/coreutils/issues/1729

CVSS Score

7.3 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

Low

Integrity Impact

Low

Availability Impact

Low

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Patched

• >=0.0.4

Description

Affected versions of this crate passed an uniniitalized buffer to a user-provided Read instance in PartialReader::read.

This can result in safe Read implementations reading from the uninitialized buffer leading to undefined behavior.

The flaw was fixed in commit 39d62c6 by zero-initializing the passed buffer.

Advisory available under CC0-1.0 license.