OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-05 19:20:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add lzf use-of-uninitialized-value advisory (#1465)

Browse Source 
Co-authored-by: pinkforest <36498018+pinkforest@users.noreply.github.com>
Co-authored-by: Ben Kimock <kimockb@gmail.com>
This commit is contained in:
Jan-Erik Rediger
2022-11-07 06:38:48 +01:00
committed by GitHub
parent e3e6897754
commit c7e3a0aadd
1 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
crates/lzf/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,27 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "lzf"
date = "2022-10-22"
url = "https://github.com/badboy/lzf-rs/issues/9"
informational = "unsound"
keywords = ["uninitialized-memory"]
[versions]
patched = [">= 0.3.2"]
[affected]
functions = { "lzf::compress" = ["< 0.3.2"], "lzf::decompress" = ["< 0.3.2"] }
```
# Invalid use of `mem::uninitialized` causes `use-of-uninitialized-value`
The compression and decompression function used `mem:uninitialized`
to create an array of uninitialized values, to later write values into it.
This later leads to reads from uninitialized memory.
The flaw was corrected in commit b633bf265e41c60dfce3be7eac4e4dd5e18d06cf
by using a heap-allocated `Vec` and removing out use of `mem::uninitialized`.
The fix was released in v0.3.2 and v1.0.0
Subsequently the crate was deprecated and its use is discouraged.