Reported

January 26, 2022

Issued

August 2, 2022 (last modified: October 14, 2023)

Package

owning_ref (crates.io)

Type

Vulnerability

Categories

• memory-corruption

Aliases

• GHSA-9qxh-258v-666c

References

• https://github.com/noamtashma/owning-ref-unsoundness
• https://github.com/Kimundi/owning-ref-rs/issues/49
• https://github.com/Kimundi/owning-ref-rs/issues/61
• https://github.com/Kimundi/owning-ref-rs/issues/71
• https://github.com/Kimundi/owning-ref-rs/issues/77

Patched

no patched versions

Description

• OwningRef::map_with_owner is unsound and may result in a use-after-free.
• OwningRef::map is unsound and may result in a use-after-free.
• OwningRefMut::as_owner and OwningRefMut::as_owner_mut are unsound and may result in a use-after-free.
• The crate violates Rust's aliasing rules, which may cause miscompilations on recent compilers that emit the LLVM noalias attribute.

safer_owning_ref is a replacement crate which fixes these issues. No patched versions of the original crate are available, and the maintainer is unresponsive.

Advisory available under CC0-1.0 license.