From 3cf8a9354f099d08c0ccf9926a009c1cd2950f1f Mon Sep 17 00:00:00 2001
From: Ryan Lopopolo <rjl@hyperbo.la>
Date: Wed, 26 Jul 2023 15:11:22 -0700
Subject: [PATCH] Add advisory for unsoundness in intaglio symbol interners
 (#1732)

See:

- https://github.com/artichoke/intaglio/issues/235
- https://github.com/artichoke/intaglio/pull/236
- https://github.com/artichoke/intaglio/releases/tag/v1.9.0
---
 crates/intaglio/RUSTSEC-0000-0000.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 crates/intaglio/RUSTSEC-0000-0000.md

diff --git a/crates/intaglio/RUSTSEC-0000-0000.md b/crates/intaglio/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..d417555
--- /dev/null
+++ b/crates/intaglio/RUSTSEC-0000-0000.md
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "intaglio"
+date = "2023-07-26"
+url = "https://github.com/artichoke/intaglio/pull/236"
+references = [
+  "https://github.com/artichoke/intaglio/issues/235",
+  "https://github.com/artichoke/intaglio/pull/236",
+  "https://github.com/artichoke/intaglio/releases/tag/v1.9.0",
+]
+informational = "unsound"
+
+[affected]
+functions = { "intaglio::SymbolTable::intern" = ["< 1.9.0"], "intaglio::bytes::SymbolTable::intern" = ["< 1.9.0"], "intaglio::cstr::SymbolTable::intern" = ["< 1.9.0, >= 1.5.0"], "intaglio::osstr::SymbolTable::intern" = ["< 1.9.0, >= 1.5.0"], "intaglio::path::SymbolTable::intern" = ["< 1.9.0, >= 1.5.0"] }
+
+[versions]
+patched = [">= 1.9.0"]
+```
+
+# Unsoundness in `intern` methods on `intaglio` symbol interners
+
+Affected versions of this crate have a stacked borrows violation when creating
+references to interned contents. All interner types are affected.
+
+The flaw was corrected in version 1.9.0 by reordering move and borrowing
+operations and storing interned contents by raw pointer instead of as a `Box`.