From 2a867650cb5039d5cd85ae0fe8bdea8e28d59601 Mon Sep 17 00:00:00 2001 From: Simonas Kazlauskas Date: Sun, 20 Oct 2019 17:59:05 +0300 Subject: [PATCH 1/2] Add a flatbuffers unsound code advisory --- crates/flatbuffers/RUSTSEC-2019-0024.toml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 crates/flatbuffers/RUSTSEC-2019-0024.toml diff --git a/crates/flatbuffers/RUSTSEC-2019-0024.toml b/crates/flatbuffers/RUSTSEC-2019-0024.toml new file mode 100644 index 0000000..571cbe7 --- /dev/null +++ b/crates/flatbuffers/RUSTSEC-2019-0024.toml @@ -0,0 +1,17 @@ +[advisory] +id = "RUSTSEC-0000-0000" +package = "flatbuffers" +patched_versions = [] +unaffected_versions = ["< 0.4.0"] +date = "2019-10-20" +url = "https://github.com/google/flatbuffers/issues/5530" +title = "Unsound `impl Follow for bool`" +description = """ +The implementation of `impl Follow for bool` allows to reinterpret arbitrary bytes as a `bool`. + +In Rust `bool` has stringent requirements for its in-memory representation. Use of this function +allows to violate these requirements and invoke undefined behaviour in safe code. +""" + +[affected] +functions = { "flatbuffers::Follow::follow" = [">= 0.4.0", "<= 0.6.0"] } From d520ed489cf197fea540209cc85251792dd7c2bb Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Wed, 23 Oct 2019 09:11:16 -0700 Subject: [PATCH 2/2] Assign RUSTSEC-2019-0028 to flatbuffers --- .../{RUSTSEC-2019-0024.toml => RUSTSEC-2019-0028.toml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename crates/flatbuffers/{RUSTSEC-2019-0024.toml => RUSTSEC-2019-0028.toml} (95%) diff --git a/crates/flatbuffers/RUSTSEC-2019-0024.toml b/crates/flatbuffers/RUSTSEC-2019-0028.toml similarity index 95% rename from crates/flatbuffers/RUSTSEC-2019-0024.toml rename to crates/flatbuffers/RUSTSEC-2019-0028.toml index 571cbe7..ca74875 100644 --- a/crates/flatbuffers/RUSTSEC-2019-0024.toml +++ b/crates/flatbuffers/RUSTSEC-2019-0028.toml @@ -1,5 +1,5 @@ [advisory] -id = "RUSTSEC-0000-0000" +id = "RUSTSEC-2019-0028" package = "flatbuffers" patched_versions = [] unaffected_versions = ["< 0.4.0"]