Reported

September 23, 2021

Issued

September 23, 2021 (last modified: June 13, 2023)

Package

nanorand (crates.io)

Type

Vulnerability

Keywords

#memory-safety #aliasing

Aliases

• CVE-2021-45705
• GHSA-p6gj-gpc8-f8xw
• GHSA-r57r-j98g-587f

References

• https://github.com/Absolucy/nanorand-rs/issues/28

Patched

• >=0.6.1

Unaffected

• <0.5.0

Affected Functions

Version

nanorand::tls::tls_rand

• >=0.5.0
• <=0.6.0

Description

TlsWyRand's implementation of Deref unconditionally dereferences a raw pointer, and returns multiple mutable references to the same object, which is undefined behavior.

Advisory available under CC0-1.0 license.