From c4a10fa281a01cc9e6deb85db303ed9f78540049 Mon Sep 17 00:00:00 2001 From: Max Ammann Date: Thu, 13 Apr 2023 13:02:24 -0400 Subject: [PATCH] Add notice for borsh issue (#1682) * Create RUSTSEC-0000-0000.md * Update RUSTSEC-0000-0000.md * Update crates/borsh/RUSTSEC-0000-0000.md Co-authored-by: Sergey "Shnatsel" Davidoff * Update RUSTSEC-0000-0000.md * Update RUSTSEC-0000-0000.md --------- Co-authored-by: Sergey "Shnatsel" Davidoff --- crates/borsh/RUSTSEC-0000-0000.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 crates/borsh/RUSTSEC-0000-0000.md diff --git a/crates/borsh/RUSTSEC-0000-0000.md b/crates/borsh/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..9004399 --- /dev/null +++ b/crates/borsh/RUSTSEC-0000-0000.md @@ -0,0 +1,22 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "borsh" +date = "2023-04-12" +url = "https://github.com/near/borsh-rs/issues/19" +references = ["https://github.com/near/borsh-rs/pull/136"] +informational = "unsound" +categories = ["memory-corruption"] + +[affected] +[versions] +patched = [] +``` + +# Parsing borsh messages with ZST which are not-copy/clone is unsound + +Affected versions of borsh cause undefined behaviour when zero-sized-types (ZST) are parsed and the Copy/Clone traits are not implemented/derived. +For instance if 1000 instances of a ZST are deserialized, and the ZST is not copy (this can be achieved through a a singleton), +then accessing/writing to deserialized data will cause a segmentation fault. + +There is currently no way for borsh to read data without also providing a Rust type. Therefore, it there are not ZST used for serialization, then you are not affected by this issue.