[patched] Add advisory for use-after-free in rocket (#834)

* Add advisory for use-after-free in rocket * Clarify that the UAF can only happen during or after unwinding
2026-01-16 16:46:18 +01:00 · 2021-03-26 10:17:31 -04:00
parent 40e78f4922
commit 8f7af7c6c5
1 changed files with 33 additions and 0 deletions
--- a/crates/rocket/RUSTSEC-0000-0000.md
+++ b/crates/rocket/RUSTSEC-0000-0000.md
@@ -0,0 +1,33 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "rocket"
+date = "2021-02-09"
+url = "https://github.com/SergioBenitez/Rocket/issues/1534"
+informational = "unsound"
+categories = ["memory-corruption"]
+keywords = ["memory-safety", "use-after-free"]
+
+[versions]
+patched = [">= 0.4.7"]
+```
+
+# Use after free possible in `uri::Formatter` on panic
+
+Affected versions of this crate transmuted a `&str` to a `&'static str` before
+pushing it into a `StackVec`, this value was then popped later in the same
+function.
+
+This was assumed to be safe because the reference would be valid while the
+method's stack was active. In between the push and the pop, however, a function
+`f` was called that could invoke a user provided function.
+
+If the user provided panicked, then the assumption used by the function was no
+longer true and the transmute to `&'static` would create an illegal static
+reference to the string. This could result in a freed string being used during
+(such as in a `Drop` implementation) or after (e.g through `catch_unwind`) the
+panic unwinding.
+
+This flaw was corrected in commit [e325e2f](https://github.com/SergioBenitez/Rocket/commit/e325e2fce4d9f9f392761e9fb58b418a48cef8bb)
+by using a guard object to ensure that the `&'static str` was dropped inside
+the function.