Reported

September 24, 2021

Issued

September 24, 2021 (last modified: June 13, 2023)

Package

zeroize_derive (crates.io)

Type

Vulnerability

Aliases

• CVE-2021-45706
• GHSA-c5hx-w945-j4pq

References

• https://github.com/iqlusioninc/crates/issues/876

Patched

• >=1.1.1

Description

Affected versions of this crate did not implement Drop when #[zeroize(drop)] was used on an enum.

This can result in memory not being zeroed out after dropping it, which is exactly what is intended when adding this attribute.

The flaw was corrected in version 1.2 and #[zeroize(drop)] on enums now properly implements Drop.

Advisory available under CC0-1.0 license.