Add notice for borsh issue (#1682)

* Create RUSTSEC-0000-0000.md * Update RUSTSEC-0000-0000.md * Update crates/borsh/RUSTSEC-0000-0000.md Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com> * Update RUSTSEC-0000-0000.md * Update RUSTSEC-0000-0000.md --------- Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
2026-01-02 17:46:38 +01:00 · 2023-04-13 13:02:24 -04:00
parent c358dc290a
commit c4a10fa281
1 changed files with 22 additions and 0 deletions
--- a/crates/borsh/RUSTSEC-0000-0000.md
+++ b/crates/borsh/RUSTSEC-0000-0000.md
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "borsh"
+date = "2023-04-12"
+url = "https://github.com/near/borsh-rs/issues/19"
+references = ["https://github.com/near/borsh-rs/pull/136"]
+informational = "unsound"
+categories = ["memory-corruption"]
+
+[affected]
+[versions]
+patched = []
+```
+
+# Parsing borsh messages with ZST which are not-copy/clone is unsound
+
+Affected versions of borsh cause undefined behaviour when zero-sized-types (ZST) are parsed and the Copy/Clone traits are not implemented/derived.
+For instance if 1000 instances of a ZST are deserialized, and the ZST is not copy (this can be achieved through a a singleton), 
+then accessing/writing to deserialized data will cause a segmentation fault.
+
+There is currently no way for borsh to read data without also providing a Rust type. Therefore, it there are not ZST used for serialization, then you are not affected by this issue.