Reported

January 26, 2021

Issued

August 22, 2021

Package

messagepack-rs (crates.io)

Type

Vulnerability

Categories

• memory-exposure

Details

https://github.com/otake84/messagepack-rs/issues/2

Patched

no patched versions

Description

Affected versions of this crate passed an uninitialized buffer to a user-provided Read instance in:

• deserialize_binary
• deserialize_string
• deserialize_extension_others
• deserialize_string_primitive

This can result in safe Read implementations reading from the uninitialized buffer leading to undefined behavior.