RUSTSEC-2022-0046

Out-of-bounds read when opening multiple column families with TTL

Reported

May 11, 2022

Issued

August 11, 2022 (last modified: June 13, 2023)

Package

rocksdb (crates.io)

Type

Vulnerability

Categories

memory-corruption

Keywords

#out-of-bounds-read

Aliases

GHSA-xpp3-xrff-w6rh

References

https://github.com/rust-rocksdb/rust-rocksdb/pull/616

Patched

>=0.19.0

Affected Functions

Version

rocksdb::DBWithThreadMode::open_cf_descriptors_with_ttl

<0.19.0

Description

Affected versions of this crate called the RocksDB C API rocksdb_open_column_families_with_ttl() with a pointer to a single integer TTL value, but one TTL value for each column family is expected.

This is only relevant when using rocksdb::DBWithThreadMode::open_cf_descriptors_with_ttl() with multiple column families.

This bug has been fixed in v0.19.0.

Advisory available under CC0-1.0 license.