Reported

January 13, 2024

Issued

January 13, 2024 (last modified: February 10, 2024)

Package

ferris-says (crates.io)

Type

INFO Unsound

Aliases

• GHSA-v363-rrf2-5fmj

References

• https://github.com/rust-lang/ferris-says/pull/21

Patched

• >=0.3.1

Unaffected

• <=0.1.2

Description

Affected versions receive a &[u8] from the caller through a safe API, and pass it directly to the unsafe str::from_utf8_unchecked function.

The behavior of ferris_says::say is undefined if the bytes from the caller don't happen to be valid UTF-8.

The flaw was corrected in ferris-says#21 by using the safe str::from_utf8 instead, and returning an error on invalid input. However this fix has not yet been published to crates.io as a patch version for 0.2.

Separately, ferris-says#32 has introduced a different API for version 0.3 which accepts input as &str rather than &[u8], so is unaffected by this bug.

Advisory available under CC0-1.0 license.