RustSec Advisorieshttps://rustsec.org/feed.xml2024-03-15T12:00:00+00:00RustSechttps://rustsec.org/favicon.icoSecurity advisories filed against Rust cratesRUSTSEC-2023-0085: Vulnerability in hpackhttps://rustsec.org/advisories/RUSTSEC-2023-0085.html2024-03-15T12:00:00+00:002024-03-15T12:00:00+00:00HPACK decoder panics on invalid input <article>
<span class="floating-menu">
<a href="https://github.com/RustSec/advisory-db/commits/main/crates/hpack/RUSTSEC-2023-0085.md">History</a> ⋅
<a href="https://github.com/RustSec/advisory-db/edit/main/crates/hpack/RUSTSEC-2023-0085.md">Edit</a> ⋅
<a href="https://api.osv.dev/v1/vulns/RUSTSEC-2023-0085">JSON (OSV)</a>
</span>
<header>
<h1>
RUSTSEC-2023-0085
</h1>
<span class="subtitle"><p>HPACK decoder panics on invalid input</p>
</span>
</header>
<dl>
<dt id="reported">Reported</dt>
<dd>
<time datetime="2023-09-15">
September 15, 2023
</time>
</dd>
<dt id="issued">Issued</dt>
<dd>
<time datetime="2024-03-15">
March 15, 2024
</time>
</dd>
<dt id="package">Package</dt>
<dd>
<a href="/packages/hpack.html">hpack</a>
(<a href="https://crates.io/crates/hpack">crates.io</a>)
</dd>
<dt id="type">Type</dt>
<dd>
Vulnerability
</dd>
<dt id="categories">Categories</dt>
<dd>
<ul>
<li><a href="/categories/denial-of-service.html">denial-of-service</a></li>
</ul>
</dd>
<dt id="details">References</dt>
<dd>
<ul>
<li>
<a href="https://github.com/mlalic/hpack-rs/issues/11">
https://github.com/mlalic/hpack-rs/issues/11
</a>
</li>
<li>
<a href="https://github.com/sno2/hpack-rs-patched/commit/d669282924a95311599e9e7dd53869ee96b3a2f5">
https://github.com/sno2/hpack-rs-patched/commit/d669282924a95311599e9e7dd53869ee96b3a2f5
</a>
</li>
</ul>
</dd>
<dt id="patched">Patched</dt>
<dd>
no patched versions
</dd>
</dl>
<h3 id="description">Description</h3>
<p>Due to insufficient checking of input data, decoding certain data sequences can
lead to <em>Decoder::decode</em> panicking rather than returning an error.</p>
<p>Example code that triggers this vulnerability looks like this:</p>
<pre><code class="language-rust">use hpack::Decoder;
pub fn main() {
let input = &[0x3f];
let mut decoder = Decoder::new();
let _ = decoder.decode(input);
}
</code></pre>
<p>hpack is unmaintained. A crate with the panics fixed has been published as
<a href="https://crates.io/crates/hpack-patched">hpack-patched</a>.</p>
<p>Also consider using <a href="https://crates.io/crates/fluke-hpack">fluke-hpack</a> or
<a href="https://crates.io/crates/httlib-huffman">httlib-huffman</a> as an alternative.</p>
<p id="license" class="license">Advisory available under <a href="https://spdx.org/licenses/CC0-1.0.html">CC0-1.0</a>
license.
</p>
</article>RUSTSEC-2023-0084: hpack is unmaintainedhttps://rustsec.org/advisories/RUSTSEC-2023-0084.html2024-03-06T12:00:00+00:002024-03-06T12:00:00+00:00`hpack` is unmaintained <article>
<span class="floating-menu">
<a href="https://github.com/RustSec/advisory-db/commits/main/crates/hpack/RUSTSEC-2023-0084.md">History</a> ⋅
<a href="https://github.com/RustSec/advisory-db/edit/main/crates/hpack/RUSTSEC-2023-0084.md">Edit</a> ⋅
<a href="https://api.osv.dev/v1/vulns/RUSTSEC-2023-0084">JSON (OSV)</a>
</span>
<header>
<h1>
RUSTSEC-2023-0084
</h1>
<span class="subtitle"><p><code>hpack</code> is unmaintained</p>
</span>
</header>
<dl>
<dt id="reported">Reported</dt>
<dd>
<time datetime="2023-09-15">
September 15, 2023
</time>
</dd>
<dt id="issued">Issued</dt>
<dd>
<time datetime="2024-03-06">
March 6, 2024
</time>
</dd>
<dt id="package">Package</dt>
<dd>
<a href="/packages/hpack.html">hpack</a>
(<a href="https://crates.io/crates/hpack">crates.io</a>)
</dd>
<dt id="type">Type</dt>
<dd>
<span class="tag info">INFO</span>
Unmaintained
</dd>
<dt id="details">References</dt>
<dd>
<ul>
<li>
<a href="https://github.com/mlalic/hpack-rs/issues/8">
https://github.com/mlalic/hpack-rs/issues/8
</a>
</li>
</ul>
</dd>
<dt id="patched">Patched</dt>
<dd>
no patched versions
</dd>
</dl>
<h3 id="description">Description</h3>
<p>The <code>hpack</code> crate is no longer maintained.</p>
<p>Consider using <a href="https://crates.io/crates/fluke-hpack">fluke-hpack</a> or
<a href="https://crates.io/crates/httlib-huffman">httlib-huffman</a>.</p>
<p id="license" class="license">Advisory available under <a href="https://spdx.org/licenses/CC0-1.0.html">CC0-1.0</a>
license.
</p>
</article>RUSTSEC-2024-0021: Vulnerability in eyrehttps://rustsec.org/advisories/RUSTSEC-2024-0021.html2024-03-06T12:00:00+00:002024-03-06T12:00:00+00:00Parts of Report are dropped as the wrong type during downcast <article>
<span class="floating-menu">
<a href="https://github.com/RustSec/advisory-db/commits/main/crates/eyre/RUSTSEC-2024-0021.md">History</a> ⋅
<a href="https://github.com/RustSec/advisory-db/edit/main/crates/eyre/RUSTSEC-2024-0021.md">Edit</a> ⋅
<a href="https://api.osv.dev/v1/vulns/RUSTSEC-2024-0021">JSON (OSV)</a>
</span>
<header>
<h1>
RUSTSEC-2024-0021
</h1>
<span class="subtitle"><p>Parts of Report are dropped as the wrong type during downcast</p>
</span>
</header>
<dl>
<dt id="reported">Reported</dt>
<dd>
<time datetime="2024-03-05">
March 5, 2024
</time>
</dd>
<dt id="issued">Issued</dt>
<dd>
<time datetime="2024-03-06">
March 6, 2024
</time>
</dd>
<dt id="package">Package</dt>
<dd>
<a href="/packages/eyre.html">eyre</a>
(<a href="https://crates.io/crates/eyre">crates.io</a>)
</dd>
<dt id="type">Type</dt>
<dd>
Vulnerability
</dd>
<dt id="categories">Categories</dt>
<dd>
<ul>
<li><a href="/categories/memory-corruption.html">memory-corruption</a></li>
</ul>
</dd>
<dt id="details">References</dt>
<dd>
<ul>
<li>
<a href="https://github.com/eyre-rs/eyre/issues/141">
https://github.com/eyre-rs/eyre/issues/141
</a>
</li>
</ul>
</dd>
<dt id="patched">Patched</dt>
<dd>
<ul>
<li><code>>=0.6.12</code></li>
</ul>
</dd>
<dt id="unaffected">Unaffected</dt>
<dd>
<ul>
<li><code><0.6.9</code></li>
</ul>
</dd>
</dl>
<dl>
<dt>Affected Functions</dt>
<dd>Version</dd>
<dt><code>eyre::Report::downcast</code></dt>
<dd>
<ul>
<li><code>>=0.6.9, <0.6.12</code></li>
</ul>
</dd>
</dl>
<h3 id="description">Description</h3>
<p>In affected versions, after a <code>Report</code> is constructed using <code>wrap_err</code> or
<code>wrap_err_with</code> to attach a message of type <code>D</code> onto an error of type <code>E</code>, then
using <code>downcast</code> to recover ownership of either the value of type <code>D</code> or the
value of type <code>E</code>, one of two things can go wrong:</p>
<ul>
<li>
<p>If downcasting to <code>E</code>, there remains a value of type <code>D</code> to be dropped. It is
incorrectly "dropped" by running <code>E</code>'s drop behavior, rather than <code>D</code>'s. For
example if <code>D</code> is <code>&str</code> and <code>E</code> is <code>std::io::Error</code>, there would be a call of
<code>std::io::Error::drop</code> in which the reference received by the <code>Drop</code> impl does
not refer to a valid value of type <code>std::io::Error</code>, but instead to <code>&str</code>.</p>
</li>
<li>
<p>If downcasting to <code>D</code>, there remains a value of type <code>E</code> to be dropped. When
<code>D</code> and <code>E</code> do not happen to be the same size, <code>E</code>'s drop behavior is
incorrectly executed in the wrong location. The reference received by the
<code>Drop</code> impl may point left or right of the real <code>E</code> value that is meant to be
getting dropped.</p>
</li>
</ul>
<p>In both cases, when the <code>Report</code> contains an error <code>E</code> that has nontrivial drop
behavior, the most likely outcome is memory corruption.</p>
<p>When the <code>Report</code> contains an error <code>E</code> that has trivial drop behavior (for
example a <code>Utf8Error</code>) but where <code>D</code> has nontrivial drop behavior (such as
<code>String</code>), the most likely outcome is that downcasting to <code>E</code> would leak <code>D</code>.</p>
<p id="license" class="license">Advisory available under <a href="https://spdx.org/licenses/CC0-1.0.html">CC0-1.0</a>
license.
</p>
</article>RUSTSEC-2024-0020: Vulnerability in whoamihttps://rustsec.org/advisories/RUSTSEC-2024-0020.html2024-03-06T12:00:00+00:002024-03-05T12:00:00+00:00Stack buffer overflow with whoami on several Unix platforms <article>
<span class="floating-menu">
<a href="https://github.com/RustSec/advisory-db/commits/main/crates/whoami/RUSTSEC-2024-0020.md">History</a> ⋅
<a href="https://github.com/RustSec/advisory-db/edit/main/crates/whoami/RUSTSEC-2024-0020.md">Edit</a> ⋅
<a href="https://api.osv.dev/v1/vulns/RUSTSEC-2024-0020">JSON (OSV)</a>
</span>
<header>
<h1>
RUSTSEC-2024-0020
</h1>
<span class="subtitle"><p>Stack buffer overflow with whoami on several Unix platforms</p>
</span>
</header>
<dl>
<dt id="reported">Reported</dt>
<dd>
<time datetime="2024-02-28">
February 28, 2024
</time>
</dd>
<dt id="issued">Issued</dt>
<dd>
<time datetime="2024-03-05">
March 5, 2024
</time>
<time datetime="2024-03-06">
(last modified: March 6, 2024)
</time>
</dd>
<dt id="package">Package</dt>
<dd>
<a href="/packages/whoami.html">whoami</a>
(<a href="https://crates.io/crates/whoami">crates.io</a>)
</dd>
<dt id="type">Type</dt>
<dd>
Vulnerability
</dd>
<dt id="categories">Categories</dt>
<dd>
<ul>
<li><a href="/categories/denial-of-service.html">denial-of-service</a></li>
<li><a href="/categories/memory-corruption.html">memory-corruption</a></li>
</ul>
</dd>
<dt id="keywords">Keywords</dt>
<dd>
<a href="/keywords/buffer-overflow.html">#buffer-overflow</a>
<a href="/keywords/stack-buffer-overflow.html">#stack-buffer-overflow</a>
<a href="/keywords/cwe-121.html">#cwe-121</a>
</dd>
<dt id="details">References</dt>
<dd>
<ul>
<li>
<a href="https://github.com/ardaku/whoami/issues/91">
https://github.com/ardaku/whoami/issues/91
</a>
</li>
</ul>
</dd>
<dt id="patched">Patched</dt>
<dd>
<ul>
<li><code>>=1.5.0</code></li>
</ul>
</dd>
<dt id="unaffected">Unaffected</dt>
<dd>
<ul>
<li><code><0.5.3</code></li>
</ul>
</dd>
<dt>Affected OSes</dt>
<dd>
<ul>
<li><code>illumos</code></li>
<li><code>solaris</code></li>
<li><code>dragonfly</code></li>
<li><code>freebsd</code></li>
<li><code>netbsd</code></li>
<li><code>openbsd</code></li>
</ul>
</dd>
</dl>
<dl>
<dt>Affected Functions</dt>
<dd>Version</dd>
<dt><code>whoami::realname</code></dt>
<dd>
<ul>
<li><code><1.5.0</code></li>
</ul>
</dd>
<dt><code>whoami::realname_os</code></dt>
<dd>
<ul>
<li><code><1.5.0</code></li>
</ul>
</dd>
<dt><code>whoami::username</code></dt>
<dd>
<ul>
<li><code><1.5.0</code></li>
</ul>
</dd>
<dt><code>whoami::username_os</code></dt>
<dd>
<ul>
<li><code><1.5.0</code></li>
</ul>
</dd>
</dl>
<h3 id="description">Description</h3>
<p>With versions of the whoami crate >= 0.5.3 and < 1.5.0, calling any of these functions leads to an
immediate stack buffer overflow on illumos and Solaris:</p>
<ul>
<li><code>whoami::username</code></li>
<li><code>whoami::realname</code></li>
<li><code>whoami::username_os</code></li>
<li><code>whoami::realname_os</code></li>
</ul>
<p>With versions of the whoami crate >= 0.5.3 and < 1.0.1, calling any of the above functions also
leads to a stack buffer overflow on these platforms:</p>
<ul>
<li>Bitrig</li>
<li>DragonFlyBSD</li>
<li>FreeBSD</li>
<li>NetBSD</li>
<li>OpenBSD</li>
</ul>
<p>This occurs because of an incorrect definition of the <code>passwd</code> struct on those platforms.</p>
<p>As a result of this issue, denial of service and data corruption have both been observed in the
wild. The issue is possibly exploitable as well.</p>
<p>This vulnerability also affects other Unix platforms that aren't Linux or macOS.</p>
<p>This issue has been addressed in whoami 1.5.0.</p>
<p>For more information, see <a href="https://github.com/ardaku/whoami/issues/91">this GitHub issue</a>.</p>
<p id="license" class="license">Advisory available under <a href="https://spdx.org/licenses/CC0-1.0.html">CC0-1.0</a>
license.
</p>
</article>RUSTSEC-2024-0019: Vulnerability in miohttps://rustsec.org/advisories/RUSTSEC-2024-0019.html2024-03-04T12:00:00+00:002024-03-04T12:00:00+00:00Tokens for named pipes may be delivered after deregistration <article>
<span class="floating-menu">
<a href="https://github.com/RustSec/advisory-db/commits/main/crates/mio/RUSTSEC-2024-0019.md">History</a> ⋅
<a href="https://github.com/RustSec/advisory-db/edit/main/crates/mio/RUSTSEC-2024-0019.md">Edit</a> ⋅
<a href="https://api.osv.dev/v1/vulns/RUSTSEC-2024-0019">JSON (OSV)</a>
</span>
<header>
<h1>
RUSTSEC-2024-0019
</h1>
<span class="subtitle"><p>Tokens for named pipes may be delivered after deregistration</p>
</span>
</header>
<dl>
<dt id="reported">Reported</dt>
<dd>
<time datetime="2024-03-04">
March 4, 2024
</time>
</dd>
<dt id="issued">Issued</dt>
<dd>
<time datetime="2024-03-04">
March 4, 2024
</time>
</dd>
<dt id="package">Package</dt>
<dd>
<a href="/packages/mio.html">mio</a>
(<a href="https://crates.io/crates/mio">crates.io</a>)
</dd>
<dt id="type">Type</dt>
<dd>
Vulnerability
</dd>
<dt id="aliases">Aliases</dt>
<dd>
<ul>
<li>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27308">CVE-2024-27308</a>
</li>
<li>
<a href="https://github.com/advisories/GHSA-r8w9-5wcg-vfj7">GHSA-r8w9-5wcg-vfj7</a>
</li>
</ul>
</dd>
<dt id="details">References</dt>
<dd>
<ul>
<li>
<a href="https://github.com/tokio-rs/mio/security/advisories/GHSA-r8w9-5wcg-vfj7">
https://github.com/tokio-rs/mio/security/advisories/GHSA-r8w9-5wcg-vfj7
</a>
</li>
</ul>
</dd>
<dt id="patched">Patched</dt>
<dd>
<ul>
<li><code>>=0.8.11</code></li>
</ul>
</dd>
<dt id="unaffected">Unaffected</dt>
<dd>
<ul>
<li><code><0.7.2</code></li>
</ul>
</dd>
<dt>Affected OSes</dt>
<dd>
<ul>
<li><code>windows</code></li>
</ul>
</dd>
</dl>
<dl>
<dt>Affected Functions</dt>
<dd>Version</dd>
<dt><code>mio::windows::NamedPipe::new</code></dt>
<dd>
<ul>
<li><code>>=0.7.2, <=0.8.10</code></li>
</ul>
</dd>
</dl>
<h3 id="description">Description</h3>
<h2>Impact</h2>
<p>When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens may be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability may result in a use-after-free.</p>
<p>For users of Tokio, this vulnerability is serious and can result in a use-after-free in Tokio.</p>
<p>The vulnerability is Windows-specific, and can only happen if you are using named pipes. Other IO resources are not affected.</p>
<h2>Affected versions</h2>
<p>This vulnerability has been fixed in mio v0.8.11.</p>
<p>All versions of mio between v0.7.2 and v0.8.10 are vulnerable.</p>
<p>Tokio is vulnerable when you are using a vulnerable version of mio AND you are using at least Tokio v1.30.0. Versions of Tokio prior to v1.30.0 will ignore invalid tokens, so they are not vulnerable.</p>
<h2>Workarounds</h2>
<p>Vulnerable libraries that use mio can work around this issue by detecting and ignoring invalid tokens.</p>
<h2>Technical details</h2>
<p>When an IO resource registered with mio has a readiness event, mio delivers that readiness event to the user using a user-specified token. Mio guarantees that when an IO resource is <a href="https://docs.rs/mio/latest/mio/struct.Registry.html#method.deregister">deregistered</a>, then it will never return the token for that IO resource again. However, for named pipes on windows, mio may sometimes deliver the token for a named pipe even though the named pipe has been previously deregistered.</p>
<p>This vulnerability was originally reported in the Tokio issue tracker: <a href="https://github.com/tokio-rs/tokio/issues/6369">tokio-rs/tokio#6369</a><br />
This vulnerability was fixed in: <a href="https://github.com/tokio-rs/mio/pull/1760">tokio-rs/mio#1760</a></p>
<p>Thank you to <a href="https://github.com/rofoun">@rofoun</a> and <a href="https://github.com/radekvit">@radekvit</a> for discovering and reporting this issue.</p>
<p id="license" class="license">Advisory available under <a href="https://spdx.org/licenses/CC0-1.0.html">CC0-1.0</a>
license.
</p>
</article>RUSTSEC-2023-0083: Vulnerability in blurhashhttps://rustsec.org/advisories/RUSTSEC-2023-0083.html2024-03-02T12:00:00+00:002024-03-02T12:00:00+00:00blurhash: panic on parsing crafted blurhash inputs <article>
<span class="floating-menu">
<a href="https://github.com/RustSec/advisory-db/commits/main/crates/blurhash/RUSTSEC-2023-0083.md">History</a> ⋅
<a href="https://github.com/RustSec/advisory-db/edit/main/crates/blurhash/RUSTSEC-2023-0083.md">Edit</a> ⋅
<a href="https://api.osv.dev/v1/vulns/RUSTSEC-2023-0083">JSON (OSV)</a>
</span>
<header>
<h1>
RUSTSEC-2023-0083
</h1>
<span class="subtitle"><p>blurhash: panic on parsing crafted blurhash inputs</p>
</span>
</header>
<dl>
<dt id="reported">Reported</dt>
<dd>
<time datetime="2023-09-19">
September 19, 2023
</time>
</dd>
<dt id="issued">Issued</dt>
<dd>
<time datetime="2024-03-02">
March 2, 2024
</time>
</dd>
<dt id="package">Package</dt>
<dd>
<a href="/packages/blurhash.html">blurhash</a>
(<a href="https://crates.io/crates/blurhash">crates.io</a>)
</dd>
<dt id="type">Type</dt>
<dd>
Vulnerability
</dd>
<dt id="categories">Categories</dt>
<dd>
<ul>
<li><a href="/categories/denial-of-service.html">denial-of-service</a></li>
</ul>
</dd>
<dt id="keywords">Keywords</dt>
<dd>
<a href="/keywords/panic.html">#panic</a>
<a href="/keywords/untrusted-input.html">#untrusted-input</a>
<a href="/keywords/parsing.html">#parsing</a>
</dd>
<dt id="aliases">Aliases</dt>
<dd>
<ul>
<li>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42447">CVE-2023-42447</a>
</li>
<li>
cxvp-82cq-57h2
</li>
</ul>
</dd>
<dt id="details">References</dt>
<dd>
<ul>
<li>
<a href="https://github.com/whisperfish/blurhash-rs/security/advisories/GHSA-cxvp-82cq-57h2">
https://github.com/whisperfish/blurhash-rs/security/advisories/GHSA-cxvp-82cq-57h2
</a>
</li>
<li>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42447">
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42447
</a>
</li>
</ul>
</dd>
<dt id="cvss_score">CVSS Score</dt>
<dd>8.6 <span class="tag high">
HIGH
</span></dd>
<dt id="cvss_details">CVSS Details</dt>
<dd>
<dl>
<dt>Attack vector</dt><dd>Network</dd>
<dt>Attack complexity</dt><dd>Low</d>
<dt>Privileges required</dt><dd>None</dd>
<dt>User interaction</dt><dd>None</dd>
<dt>Scope</dt><dd>Changed</dd>
<dt>Confidentiality</dt><dd>None</dd>
<dt>Integrity</dt><dd>None</dd>
<dt>Availability</dt><dd>High</dd>
</dl>
</dd>
<dt id="cvss">CVSS Vector</dt>
<dd><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H</a></dd>
<dt id="patched">Patched</dt>
<dd>
<ul>
<li><code>>=0.2.0</code></li>
</ul>
</dd>
</dl>
<dl>
<dt>Affected Functions</dt>
<dd>Version</dd>
<dt><code>blurhash::decode</code></dt>
<dd>
<ul>
<li><code>*</code></li>
</ul>
</dd>
</dl>
<h3 id="description">Description</h3>
<h2>Impact</h2>
<p>The blurhash parsing code may panic due to multiple panic-guarded out-of-bounds accesses on untrusted input.</p>
<p>In a typical deployment, this may get triggered by feeding a maliciously crafted blurhashes over the network. These may include:</p>
<ul>
<li>UTF-8 compliant strings containing multi-byte UTF-8 characters</li>
</ul>
<h2>Patches</h2>
<p>The patches were released under version 0.2.0, which may require user intervention because of slight API churn.</p>
<p id="license" class="license">Advisory available under <a href="https://spdx.org/licenses/CC0-1.0.html">CC0-1.0</a>
license.
</p>
</article>RUSTSEC-2024-0018: Vulnerability in crayonhttps://rustsec.org/advisories/RUSTSEC-2024-0018.html2024-03-01T12:00:00+00:002024-03-01T12:00:00+00:00ObjectPool creates uninitialized memory when freeing objects <article>
<span class="floating-menu">
<a href="https://github.com/RustSec/advisory-db/commits/main/crates/crayon/RUSTSEC-2024-0018.md">History</a> ⋅
<a href="https://github.com/RustSec/advisory-db/edit/main/crates/crayon/RUSTSEC-2024-0018.md">Edit</a> ⋅
<a href="https://api.osv.dev/v1/vulns/RUSTSEC-2024-0018">JSON (OSV)</a>
</span>
<header>
<h1>
RUSTSEC-2024-0018
</h1>
<span class="subtitle"><p>ObjectPool creates uninitialized memory when freeing objects</p>
</span>
</header>
<dl>
<dt id="reported">Reported</dt>
<dd>
<time datetime="2024-02-27">
February 27, 2024
</time>
</dd>
<dt id="issued">Issued</dt>
<dd>
<time datetime="2024-03-01">
March 1, 2024
</time>
</dd>
<dt id="package">Package</dt>
<dd>
<a href="/packages/crayon.html">crayon</a>
(<a href="https://crates.io/crates/crayon">crates.io</a>)
</dd>
<dt id="type">Type</dt>
<dd>
Vulnerability
</dd>
<dt id="categories">Categories</dt>
<dd>
<ul>
<li><a href="/categories/memory-corruption.html">memory-corruption</a></li>
</ul>
</dd>
<dt id="keywords">Keywords</dt>
<dd>
<a href="/keywords/std--mem--uninitialized.html">#std--mem--uninitialized</a>
<a href="/keywords/address-sanitizer.html">#address-sanitizer</a>
</dd>
<dt id="details">References</dt>
<dd>
<ul>
<li>
<a href="https://github.com/shawnscode/crayon/issues/109">
https://github.com/shawnscode/crayon/issues/109
</a>
</li>
</ul>
</dd>
<dt id="patched">Patched</dt>
<dd>
no patched versions
</dd>
<dt id="unaffected">Unaffected</dt>
<dd>
<ul>
<li><code><0.6.0</code></li>
</ul>
</dd>
</dl>
<dl>
<dt>Affected Functions</dt>
<dd>Version</dd>
<dt><code>crayon::utils::object_pool::ObjectPool<H,T>::free</code></dt>
<dd>
<ul>
<li><code>>=0.6.0</code></li>
</ul>
</dd>
</dl>
<h3 id="description">Description</h3>
<p>As of version 0.6.0, the ObjectPool explicitly creates an uninitialized instance of its
type parameter when it attempts to free an object, and swaps it into the storage. This
causes instant undefined behavior due to reading the uninitialized memory in order to
write it to the pool storage.</p>
<p>Extremely basic usage of the crate can trigger this issue, e.g. this code from a doctest:</p>
<pre><code class="language-rust">use crayon::prelude::*;
application::oneshot().unwrap();
let mut params = MeshParams::default();
let mesh = video::create_mesh(params, None).unwrap();
// Deletes the mesh object.
video::delete_mesh(mesh); // <-- UB
</code></pre>
<p>The Clippy warning for this code was silenced in commit c2fde19caf6149d91faa504263f0bc5cafc35de5.</p>
<p>Discovered via https://asan.saethlin.dev/ub?crate=crayon&version=0.7.1</p>
<p id="license" class="license">Advisory available under <a href="https://spdx.org/licenses/CC0-1.0.html">CC0-1.0</a>
license.
</p>
</article>RUSTSEC-2023-0082: Vulnerability in phonenumberhttps://rustsec.org/advisories/RUSTSEC-2023-0082.html2024-02-29T12:00:00+00:002024-02-29T12:00:00+00:00phonenumber: panic on parsing crafted RF3966 phonenumber inputs <article>
<span class="floating-menu">
<a href="https://github.com/RustSec/advisory-db/commits/main/crates/phonenumber/RUSTSEC-2023-0082.md">History</a> ⋅
<a href="https://github.com/RustSec/advisory-db/edit/main/crates/phonenumber/RUSTSEC-2023-0082.md">Edit</a> ⋅
<a href="https://api.osv.dev/v1/vulns/RUSTSEC-2023-0082">JSON (OSV)</a>
</span>
<header>
<h1>
RUSTSEC-2023-0082
</h1>
<span class="subtitle"><p>phonenumber: panic on parsing crafted RF3966 phonenumber inputs</p>
</span>
</header>
<dl>
<dt id="reported">Reported</dt>
<dd>
<time datetime="2023-09-19">
September 19, 2023
</time>
</dd>
<dt id="issued">Issued</dt>
<dd>
<time datetime="2024-02-29">
February 29, 2024
</time>
</dd>
<dt id="package">Package</dt>
<dd>
<a href="/packages/phonenumber.html">phonenumber</a>
(<a href="https://crates.io/crates/phonenumber">crates.io</a>)
</dd>
<dt id="type">Type</dt>
<dd>
Vulnerability
</dd>
<dt id="categories">Categories</dt>
<dd>
<ul>
<li><a href="/categories/denial-of-service.html">denial-of-service</a></li>
</ul>
</dd>
<dt id="keywords">Keywords</dt>
<dd>
<a href="/keywords/panic.html">#panic</a>
<a href="/keywords/untrusted-input.html">#untrusted-input</a>
<a href="/keywords/parsing.html">#parsing</a>
</dd>
<dt id="aliases">Aliases</dt>
<dd>
<ul>
<li>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42444">CVE-2023-42444</a>
</li>
<li>
whhr-7f2w-qqj2
</li>
</ul>
</dd>
<dt id="details">References</dt>
<dd>
<ul>
<li>
<a href="https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2">
https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2
</a>
</li>
<li>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42444">
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42444
</a>
</li>
</ul>
</dd>
<dt id="cvss_score">CVSS Score</dt>
<dd>8.6 <span class="tag high">
HIGH
</span></dd>
<dt id="cvss_details">CVSS Details</dt>
<dd>
<dl>
<dt>Attack vector</dt><dd>Network</dd>
<dt>Attack complexity</dt><dd>Low</d>
<dt>Privileges required</dt><dd>None</dd>
<dt>User interaction</dt><dd>None</dd>
<dt>Scope</dt><dd>Changed</dd>
<dt>Confidentiality</dt><dd>None</dd>
<dt>Integrity</dt><dd>None</dd>
<dt>Availability</dt><dd>High</dd>
</dl>
</dd>
<dt id="cvss">CVSS Vector</dt>
<dd><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H</a></dd>
<dt id="patched">Patched</dt>
<dd>
<ul>
<li><code>>=0.2.5, <0.3.0</code></li>
<li><code>>=0.3.3</code></li>
</ul>
</dd>
</dl>
<dl>
<dt>Affected Functions</dt>
<dd>Version</dd>
<dt><code>phonenumber::parse</code></dt>
<dd>
<ul>
<li><code>*</code></li>
</ul>
</dd>
</dl>
<h3 id="description">Description</h3>
<h3>Impact</h3>
<p>The phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string.</p>
<p>In a typical deployment of <code>rust-phonenumber</code>, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string <code>.;phone-context=</code>.</p>
<h3>Patches</h3>
<p>Patches will be published as version <code>0.3.3+8.13.9</code> and backported as <code>0.2.5+8.11.3</code>.</p>
<p id="license" class="license">Advisory available under <a href="https://spdx.org/licenses/CC0-1.0.html">CC0-1.0</a>
license.
</p>
</article>RUSTSEC-2024-0017: Unsoundness in cassandra-cpphttps://rustsec.org/advisories/RUSTSEC-2024-0017.html2024-02-28T12:00:00+00:002024-02-28T12:00:00+00:00Non-idiomatic use of iterators leads to use after free <article>
<span class="floating-menu">
<a href="https://github.com/RustSec/advisory-db/commits/main/crates/cassandra-cpp/RUSTSEC-2024-0017.md">History</a> ⋅
<a href="https://github.com/RustSec/advisory-db/edit/main/crates/cassandra-cpp/RUSTSEC-2024-0017.md">Edit</a> ⋅
<a href="https://api.osv.dev/v1/vulns/RUSTSEC-2024-0017">JSON (OSV)</a>
</span>
<header>
<h1>
RUSTSEC-2024-0017
</h1>
<span class="subtitle"><p>Non-idiomatic use of iterators leads to use after free</p>
</span>
</header>
<dl>
<dt id="reported">Reported</dt>
<dd>
<time datetime="2024-02-28">
February 28, 2024
</time>
</dd>
<dt id="issued">Issued</dt>
<dd>
<time datetime="2024-02-28">
February 28, 2024
</time>
</dd>
<dt id="package">Package</dt>
<dd>
<a href="/packages/cassandra-cpp.html">cassandra-cpp</a>
(<a href="https://crates.io/crates/cassandra-cpp">crates.io</a>)
</dd>
<dt id="type">Type</dt>
<dd>
<span class="tag info">INFO</span>
Unsound
</dd>
<dt id="categories">Categories</dt>
<dd>
<ul>
<li><a href="/categories/memory-corruption.html">memory-corruption</a></li>
<li><a href="/categories/memory-exposure.html">memory-exposure</a></li>
</ul>
</dd>
<dt id="keywords">Keywords</dt>
<dd>
<a href="/keywords/memory-safety.html">#memory-safety</a>
<a href="/keywords/use-after-free.html">#use-after-free</a>
</dd>
<dt id="aliases">Aliases</dt>
<dd>
<ul>
<li>
<a href="https://github.com/advisories/GHSA-x9xc-63hg-vcfq">GHSA-x9xc-63hg-vcfq</a>
</li>
</ul>
</dd>
<dt id="details">References</dt>
<dd>
<ul>
<li>
<a href="https://github.com/Metaswitch/cassandra-rs/security/advisories/GHSA-x9xc-63hg-vcfq">
https://github.com/Metaswitch/cassandra-rs/security/advisories/GHSA-x9xc-63hg-vcfq
</a>
</li>
</ul>
</dd>
<dt id="patched">Patched</dt>
<dd>
<ul>
<li><code>>=3.0.0</code></li>
</ul>
</dd>
</dl>
<h3 id="description">Description</h3>
<p>Code that attempts to use an item (e.g., a row) returned by an iterator after the iterator has advanced to the next item will be accessing freed memory and experience undefined behaviour. Code that uses the item and then advances the iterator is unaffected. This problem has always existed.</p>
<p>This is a use-after-free bug, so it's rated high severity. If your code uses a pre-3.0.0 version of cassandra-rs, and uses an item returned by a cassandra-rs iterator after calling <code>next()</code> on that iterator, then it is vulnerable. However, such code will almost always fail immediately - so we believe it is unlikely that any code using this pattern would have reached production. For peace of mind, we recommend you upgrade anyway.</p>
<h2>Patches</h2>
<p>The problem has been fixed in version 3.0.0 (commit 299e6ac50f87eb2823a373baec37b590a74994ee). Users should upgrade to ensure their code cannot use the problematic pattern. There is an upgrade guide in the project README.</p>
<h2>Workarounds</h2>
<p>Ensure all usage fits the expected pattern. For example, use <code>get_first_row()</code> rather than an iterator, or completely process an item before advancing the iterator with <code>next()</code>.</p>
<p id="license" class="license">Advisory available under <a href="https://spdx.org/licenses/CC0-1.0.html">CC0-1.0</a>
license.
</p>
</article>RUSTSEC-2023-0081: safemem is unmaintainedhttps://rustsec.org/advisories/RUSTSEC-2023-0081.html2024-03-04T12:00:00+00:002024-02-22T12:00:00+00:00safemem is unmaintained <article>
<span class="floating-menu">
<a href="https://github.com/RustSec/advisory-db/commits/main/crates/safemem/RUSTSEC-2023-0081.md">History</a> ⋅
<a href="https://github.com/RustSec/advisory-db/edit/main/crates/safemem/RUSTSEC-2023-0081.md">Edit</a> ⋅
<a href="https://api.osv.dev/v1/vulns/RUSTSEC-2023-0081">JSON (OSV)</a>
</span>
<header>
<h1>
RUSTSEC-2023-0081
</h1>
<span class="subtitle"><p>safemem is unmaintained</p>
</span>
</header>
<dl>
<dt id="reported">Reported</dt>
<dd>
<time datetime="2023-02-14">
February 14, 2023
</time>
</dd>
<dt id="issued">Issued</dt>
<dd>
<time datetime="2024-02-22">
February 22, 2024
</time>
<time datetime="2024-03-04">
(last modified: March 4, 2024)
</time>
</dd>
<dt id="package">Package</dt>
<dd>
<a href="/packages/safemem.html">safemem</a>
(<a href="https://crates.io/crates/safemem">crates.io</a>)
</dd>
<dt id="type">Type</dt>
<dd>
<span class="tag info">INFO</span>
Unmaintained
</dd>
<dt id="details">References</dt>
<dd>
<ul>
<li>
<a href="https://github.com/abonander/safemem">
https://github.com/abonander/safemem
</a>
</li>
</ul>
</dd>
<dt id="patched">Patched</dt>
<dd>
no patched versions
</dd>
</dl>
<h3 id="description">Description</h3>
<p>The latest crates.io release was in 2019. The repository has been archived by the author.</p>
<h2>Migration</h2>
<ul>
<li>
<p><code>safemem::copy_over(slice, src_idx, dest_idx, len);</code> can be replaced with <code>slice.copy_within(src_idx..src_idx+len, dest_idx);</code> as of <code>rust 1.37.0</code>.</p>
</li>
<li>
<p><code>safemem::write_bytes(slice, byte);</code> can be replaced with <code>slice.fill(byte);</code> as of <code>rust 1.50.0</code></p>
</li>
<li>
<p><code>safemem::prepend(slice, vec);</code> can be replaced with</p>
<pre><code class="language-rust">let old_len = vec.len();
vec.extend_from_slice(slice);
vec.rotate_left(old_len);
</code></pre>
<p>as of <code>rust 1.26.0</code></p>
</li>
</ul>
<p id="license" class="license">Advisory available under <a href="https://spdx.org/licenses/CC0-1.0.html">CC0-1.0</a>
license.
</p>
</article>