RUSTSEC-2021-0089

Optional Deserialize implementations lacking validation

Reported

January 20, 2021

Issued

August 21, 2021 (last modified: June 13, 2023)

Package

raw-cpuid (crates.io)

Type

Vulnerability

Categories

memory-corruption
denial-of-service

Aliases

CVE-2021-45687
GHSA-jf5h-cf95-w759
GHSA-w428-f65r-h4q2

References

https://github.com/gz/rust-cpuid/issues/43

Patched

>=9.1.1

Unaffected

<=3.1.0

Description

When activating the non-default feature serialize, most structs implement serde::Deserialize without sufficient validation. This allows breaking invariants in safe code, leading to:

Undefined behavior in as_string() methods (which use std::str::from_utf8_unchecked() internally).
Panics due to failed assertions.

See https://github.com/gz/rust-cpuid/issues/43.

Advisory available under CC0-1.0 license.