Merge pull request #197 from nagisa/flatbuffers

Add a flatbuffers unsound code advisory
2025-12-30 00:03:57 +01:00 · 2019-10-23 09:25:10 -07:00
parent 21ec94a22f d520ed489c
commit b810ef0f6b
1 changed files with 17 additions and 0 deletions
--- a/crates/flatbuffers/RUSTSEC-2019-0028.toml
+++ b/crates/flatbuffers/RUSTSEC-2019-0028.toml
@@ -0,0 +1,17 @@
+[advisory]
+id = "RUSTSEC-2019-0028"
+package = "flatbuffers"
+patched_versions = []
+unaffected_versions = ["< 0.4.0"]
+date = "2019-10-20"
+url = "https://github.com/google/flatbuffers/issues/5530"
+title = "Unsound `impl Follow for bool`"
+description = """
+The implementation of `impl Follow for bool` allows to reinterpret arbitrary bytes as a `bool`.
+
+In Rust `bool` has stringent requirements for its in-memory representation. Use of this function
+allows to violate these requirements and invoke undefined behaviour in safe code.
+"""
+
+[affected]
+functions = { "flatbuffers::Follow::follow" = [">= 0.4.0", "<= 0.6.0"] }