RUSTSEC-2023-0054

Use-after-free in vec_insert_bytes

Reported

August 7, 2023

Issued

August 24, 2023 (last modified: August 27, 2023)

Package

mail-internals (crates.io)

Type

Vulnerability

Categories

memory-corruption

Keywords

#mail #mail-api

Aliases

GHSA-rcx8-48pc-v9q8

References

https://git.sr.ht/~nabijaczleweli/mail-internals.crate/commit/05443c864b204e7f1512caf2d53e8cce4dd340fc

Patched

no patched versions

Affected Functions

Version

mail_internals::utils::vec_insert_bytes

>=0.2.0

Description

Incorrect reallocation logic in the function vec_insert_bytes causes a use-after-free.

This function does not have to be called directly to trigger the vulnerability because many methods on EncodingWriter call this function internally.

The mail-* suite is unmaintained and the upstream sources have been actively vandalised. A fixed mail-internals-ng (and mail-headers-ng and mail-core-ng) crate has been published which fixes this, and a dependency on another unsound crate.

Advisory available under CC0-1.0 license.