Reported

July 26, 2023

Issued

July 27, 2023 (last modified: July 29, 2023)

Package

intaglio (crates.io)

Type

INFO Unsound

Aliases

• GHSA-gch5-hwqf-mxhp

References

• https://github.com/artichoke/intaglio/pull/236
• https://github.com/artichoke/intaglio/issues/235
• https://github.com/artichoke/intaglio/pull/236
• https://github.com/artichoke/intaglio/releases/tag/v1.9.0

Patched

• >=1.9.0

Affected Functions

Version

intaglio::SymbolTable::intern

• <1.9.0

intaglio::bytes::SymbolTable::intern

• <1.9.0

intaglio::cstr::SymbolTable::intern

• <1.9.0, >=1.5.0

intaglio::osstr::SymbolTable::intern

• <1.9.0, >=1.5.0

intaglio::path::SymbolTable::intern

• <1.9.0, >=1.5.0

Description

Affected versions of this crate have a stacked borrows violation when creating references to interned contents. All interner types are affected.

The flaw was corrected in version 1.9.0 by reordering move and borrowing operations and storing interned contents by raw pointer instead of as a Box.

Advisory available under CC0-1.0 license.