RUSTSEC-2021-0089

Optional Deserialize implementations lacking validation

Issued
Package
raw-cpuid (crates.io)
Type
Vulnerability
Categories
  • memory-corruption
  • denial-of-service
Details
https://github.com/gz/rust-cpuid/issues/43
Patched
  • >=9.1.1
Unaffected
  • <=3.1.0

Description

When activating the non-default feature serialize, most structs implement serde::Deserialize without sufficient validation. This allows breaking invariants in safe code, leading to:

See https://github.com/gz/rust-cpuid/issues/43.

More