Added informal advisory to mz-avro (#1144)

* Added informal advisory to mz-avro * Update RUSTSEC-0000-0000.md * Update RUSTSEC-0000-0000.md * Updated date; fixed patch bracket; added note on unlikelyness.
2025-12-31 16:50:28 +01:00 · 2022-08-13 07:16:44 +02:00
parent d052179237
commit 4c1283751a
1 changed files with 28 additions and 0 deletions
--- a/crates/mz-avro/RUSTSEC-0000-0000.md
+++ b/crates/mz-avro/RUSTSEC-0000-0000.md
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "mz-avro"
+date = "2021-10-14"
+url = "https://github.com/MaterializeInc/materialize/issues/8669"
+categories = ["memory-exposure"]
+informational = "unsound"
+
+[versions]
+patched = [">= 0.7.0"]
+```
+
+# Incorrect use of `set_len` allows for un-initialized memory
+
+Affected versions of this crate passes an uninitialized buffer to a user-provided `Read` 
+implementation.
+
+Arbitrary `Read` implementations can read from the uninitialized buffer (memory exposure)
+and also can return incorrect number of bytes written to the buffer.
+Reading from uninitialized memory produces undefined values that can quickly invoke
+undefined behavior.
+
+Note: there is only UB in the case where a user provides a struct whose `Read`
+implementation inspects the buffer passed to `read_exact` before writing to it.
+This is an unidiomatic (albeit possible) `Read` implementation.
+
+See https://github.com/MaterializeInc/materialize/issues/8669 for details.