From c128a6bdcd175dd04411630ff4975d2c4604207e Mon Sep 17 00:00:00 2001
From: Lyndon Brown <jnqnfe@gmail.com>
Date: Thu, 22 Oct 2020 02:42:24 +0100
Subject: [PATCH] Add advisory for possible use-after-free fixed in
 libpulse-binding v2.5.0

---
 crates/libpulse-binding/RUSTSEC-0000-0000.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 crates/libpulse-binding/RUSTSEC-0000-0000.md

diff --git a/crates/libpulse-binding/RUSTSEC-0000-0000.md b/crates/libpulse-binding/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..993961b
--- /dev/null
+++ b/crates/libpulse-binding/RUSTSEC-0000-0000.md
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "libpulse-binding"
+date = "2018-12-22"
+url = "https://github.com/jnqnfe/pulse-binding-rust/security/advisories/GHSA-f56g-chqp-22m9"
+categories = ["memory-corruption"]
+
+[versions]
+patched = [">= 2.5.0"]
+unaffected = ["< 1.0.5"]
+```
+
+# Possible use-after-free with `proplist::Iterator`
+
+Affected versions contained a possible use-after-free issue with property list iteration due to a lack of a lifetime constraint tying the lifetime of a `proplist::Iterator` to the `Proplist` object for which it was created. This made it possible for users, without experiencing a compiler error/warning, to destroy the `Proplist` object before the iterator, thus destroying the underlying C object the iterator works upon, before the iterator may be finished with it.
+
+This impacts all versions of the crate before 2.5.0 back to 1.0.5. Before version 1.0.5 the function that produces the iterator was broken to the point of being useless.