From 4c1283751ade4621b5289404cc1c192ff01a2ebc Mon Sep 17 00:00:00 2001
From: Jorge Leitao <jorgecarleitao@gmail.com>
Date: Sat, 13 Aug 2022 07:16:44 +0200
Subject: [PATCH] Added informal advisory to mz-avro (#1144)

* Added informal advisory to mz-avro

* Update RUSTSEC-0000-0000.md

* Update RUSTSEC-0000-0000.md

* Updated date; fixed patch bracket; added note on unlikelyness.
---
 crates/mz-avro/RUSTSEC-0000-0000.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 crates/mz-avro/RUSTSEC-0000-0000.md

diff --git a/crates/mz-avro/RUSTSEC-0000-0000.md b/crates/mz-avro/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..ed143ef
--- /dev/null
+++ b/crates/mz-avro/RUSTSEC-0000-0000.md
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "mz-avro"
+date = "2021-10-14"
+url = "https://github.com/MaterializeInc/materialize/issues/8669"
+categories = ["memory-exposure"]
+informational = "unsound"
+
+[versions]
+patched = [">= 0.7.0"]
+```
+
+# Incorrect use of `set_len` allows for un-initialized memory
+
+Affected versions of this crate passes an uninitialized buffer to a user-provided `Read` 
+implementation.
+
+Arbitrary `Read` implementations can read from the uninitialized buffer (memory exposure)
+and also can return incorrect number of bytes written to the buffer.
+Reading from uninitialized memory produces undefined values that can quickly invoke
+undefined behavior.
+
+Note: there is only UB in the case where a user provides a struct whose `Read`
+implementation inspects the buffer passed to `read_exact` before writing to it.
+This is an unidiomatic (albeit possible) `Read` implementation.
+
+See https://github.com/MaterializeInc/materialize/issues/8669 for details.