OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-23 15:38:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Clarify flatbuffers RUSTSEC-2021-0122.md (#1268)

Browse Source 
It may be hard for non Rust experts to understand what the implications of "is `unsafe` but not marked as such" means

I propose adding some more supporting information
This commit is contained in:
Andrew Lamb
2022-06-24 10:17:18 -04:00
committed by GitHub
parent 49fb6c0b94
commit 9e0c88bd78
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
crates/flatbuffers/RUSTSEC-2021-0122.md
View File

@@ -15,6 +15,10 @@ patched = []
Code generated by flatbuffers' compiler is `unsafe` but not marked as such.
See https://github.com/google/flatbuffers/issues/6627 for details.
For example, if generated code is used to decode malformed or untrusted input
undefined behavior (and thus security vulnerabilities) are possible even without
the use of the `unsafe` keyword, [violating the the meaning of `safe`](https://doc.rust-lang.org/std/keyword.unsafe.html#the-different-meanings-of-unsafe) code;
All users that use generated code by `flatbuffers` compiler are recommended to:
1. not expose flatbuffer generated code as part of their public APIs
2. audit their code and look for any usage of `follow`, `push`, or any method that uses them