Merge pull request #139 from sagebind/sagebind-patch-1

Add advisory for use-after-free in chttp 0.1.1, 0.1.2
2026-01-04 02:25:24 +01:00 · 2019-09-01 13:04:31 -07:00
parent 8476922c1c 8ed9e62129
commit 434b26a7e4
1 changed files with 16 additions and 0 deletions
--- a/crates/chttp/RUSTSEC-0000-0000.toml
+++ b/crates/chttp/RUSTSEC-0000-0000.toml
@@ -0,0 +1,16 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "chttp"
+date = "2019-09-01"
+title = "Use-after-free in buffer conversion implementation"
+description = """
+The From<Buffer> implementation for Vec<u8> was not properly implemented,
+returning a vector backed by freed memory. This could lead to memory corruption
+or be exploited to cause undefined behavior.
+ 
+A fix was published in version 0.1.3.
+"""
+patched_versions = [">= 0.1.3"]
+unaffected_versions = ["< 0.1.1"]
+url = "https://github.com/sagebind/isahc/issues/2"
+keywords = ["memory-management", "memory-corruption"]