OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-27 06:29:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add advisory for possible use-after-free fixed in libpulse-binding v2.5.0

Browse Source
This commit is contained in:
Lyndon Brown
2020-10-22 02:42:24 +01:00
parent 7d14cb7de8
commit c128a6bdcd
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
crates/libpulse-binding/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,18 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "libpulse-binding"
date = "2018-12-22"
url = "https://github.com/jnqnfe/pulse-binding-rust/security/advisories/GHSA-f56g-chqp-22m9"
categories = ["memory-corruption"]
[versions]
patched = [">= 2.5.0"]
unaffected = ["< 1.0.5"]
```
# Possible use-after-free with `proplist::Iterator`
Affected versions contained a possible use-after-free issue with property list iteration due to a lack of a lifetime constraint tying the lifetime of a `proplist::Iterator` to the `Proplist` object for which it was created. This made it possible for users, without experiencing a compiler error/warning, to destroy the `Proplist` object before the iterator, thus destroying the underlying C object the iterator works upon, before the iterator may be finished with it.
This impacts all versions of the crate before 2.5.0 back to 1.0.5. Before version 1.0.5 the function that produces the iterator was broken to the point of being useless.