RUSTSEC-2023-0030

Versionize::deserialize implementation for FamStructWrapper<T> is lacking bound checks, potentially leading to out of bounds memory accesses

Reported

March 24, 2023

Issued

March 25, 2023 (last modified: June 13, 2023)

Package

versionize (crates.io)

Type

Vulnerability

Categories

memory-exposure

Aliases

References

https://github.com/firecracker-microvm/versionize/pull/53

CVSS Score

5.7 MEDIUM

CVSS Details

Attack vector: Local
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Changed
Confidentiality: None
Integrity: Low
Availability: Low

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

Patched

>=0.1.10

Affected OSes

linux

Description

An issue was discovered in the Versionize::deserialize implementation provided by the versionize crate for vmm_sys_util::fam::FamStructWrapper, which can lead to out of bounds memory accesses. The impact started with version 0.1.1. The issue was corrected in version 0.1.10 by inserting a check that verifies, for any deserialized header, the lengths of compared flexible arrays are equal and aborting deserialization otherwise.

Advisory available under CC0-1.0 license.