From 4f30ae8e7264a9775576d6265e6f398dc21f347b Mon Sep 17 00:00:00 2001
From: Georg Semmler <github@weiznich.de>
Date: Thu, 4 Mar 2021 19:15:19 +0100
Subject: [PATCH 1/3] Report use-after-free issue in diesels sqlite backend

---
 crates/diesel/RUSTSEC-0000-0000.md | 31 ++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 crates/diesel/RUSTSEC-0000-0000.md

diff --git a/crates/diesel/RUSTSEC-0000-0000.md b/crates/diesel/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..988389b
--- /dev/null
+++ b/crates/diesel/RUSTSEC-0000-0000.md
@@ -0,0 +1,31 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "diesel"
+date = "2021-03-05"
+url = "https://github.com/diesel-rs/diesel/pull/2663"
+categories = ["memory-exposure"]
+keywords = ["use after free"]
+
+[affected]
+functions = { "diesel::SqliteConnection::query_by_name" = ["< 1.4.6"] }
+[versions]
+patched = [">= 1.4.6"]
+```
+
+# Fix a use-after-free bug in diesels Sqlite backend
+
+We've missused `sqlite3_column_name`. The
+[SQLite](https://www.sqlite.org/c3ref/column_name.html) documentation
+states that the following:
+
+> The returned string pointer is valid until either the prepared statement
+> is destroyed by sqlite3_finalize() or until the statement is automatically
+> reprepared by the first call to sqlite3_step() for a particular
+> run or until the next call to sqlite3_column_name()
+> or sqlite3_column_name16() on the same column.
+
+As part of our `query_by_name` infrastructure we've first received all
+field names for the prepared statement and stored them as string slices
+for later use. After that we called `sqlite3_step()` for the first time,
+which invalids the pointer and therefore the stored string slice.

From e5c10bccb95089facdb04782396f2bf330ba1929 Mon Sep 17 00:00:00 2001
From: Georg Semmler <Georg_semmler_05@web.de>
Date: Fri, 5 Mar 2021 09:12:08 +0000
Subject: [PATCH 2/3] Update crates/diesel/RUSTSEC-0000-0000.md

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
---
 crates/diesel/RUSTSEC-0000-0000.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crates/diesel/RUSTSEC-0000-0000.md b/crates/diesel/RUSTSEC-0000-0000.md
index 988389b..80da7a1 100644
--- a/crates/diesel/RUSTSEC-0000-0000.md
+++ b/crates/diesel/RUSTSEC-0000-0000.md
@@ -15,7 +15,7 @@ patched = [">= 1.4.6"]
 
 # Fix a use-after-free bug in diesels Sqlite backend
 
-We've missused `sqlite3_column_name`. The
+We've misused `sqlite3_column_name`. The
 [SQLite](https://www.sqlite.org/c3ref/column_name.html) documentation
 states that the following:
 

From c31f016dce2202384b451e0e463a909a0c9f4754 Mon Sep 17 00:00:00 2001
From: Georg Semmler <Georg_semmler_05@web.de>
Date: Fri, 5 Mar 2021 12:18:06 +0000
Subject: [PATCH 3/3] Update crates/diesel/RUSTSEC-0000-0000.md

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
---
 crates/diesel/RUSTSEC-0000-0000.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crates/diesel/RUSTSEC-0000-0000.md b/crates/diesel/RUSTSEC-0000-0000.md
index 80da7a1..e0e4e61 100644
--- a/crates/diesel/RUSTSEC-0000-0000.md
+++ b/crates/diesel/RUSTSEC-0000-0000.md
@@ -4,7 +4,7 @@ id = "RUSTSEC-0000-0000"
 package = "diesel"
 date = "2021-03-05"
 url = "https://github.com/diesel-rs/diesel/pull/2663"
-categories = ["memory-exposure"]
+categories = ["memory-corruption"]
 keywords = ["use after free"]
 
 [affected]