mirror of
https://github.com/OMGeeky/advisory-db.git
synced 2026-01-02 17:46:38 +01:00
ac125ee29a
As proposed in #240 and tracked in #414, this PR translates all advisories into the new "V3" advisory format, which is based on Markdown with leading TOML front matter. This format makes it easier to see rendered Markdown syntax descriptions, whether rendered by an IDE or GitHub. This should help with both crafting advisories initially as well as review, and ideally encourages more lengthy descriptions. Support for this format shipped in `cargo-audit` v0.12.0 on May 6th, 2020.
25 lines
1.1 KiB
Markdown
25 lines
1.1 KiB
Markdown
```toml
|
|
[advisory]
|
|
id = "RUSTSEC-2019-0010"
|
|
package = "libflate"
|
|
aliases = ["CVE-2019-15552"]
|
|
date = "2019-07-04"
|
|
keywords = ["drop", "use-after-free"]
|
|
url = "https://github.com/sile/libflate/issues/35"
|
|
|
|
[affected.functions]
|
|
"libflate::gzip::MultiDecoder::read" = ["< 0.1.25, >= 0.1.14"]
|
|
|
|
[versions]
|
|
patched = [">= 0.1.25"]
|
|
unaffected = ["< 0.1.14"]
|
|
```
|
|
|
|
# MultiDecoder::read() drops uninitialized memory of arbitrary type on panic in client code
|
|
|
|
Affected versions of libflate have set a field of an internal structure with a generic type to an uninitialized value in `MultiDecoder::read()` and reverted it to the original value after the function completed. However, execution of `MultiDecoder::read()` could be interrupted by a panic in caller-supplied `Read` implementation. This would cause `drop()` to be called on uninitialized memory of a generic type implementing `Read`.
|
|
|
|
This is equivalent to a use-after-free vulnerability and could allow an attacker to gain arbitrary code execution.
|
|
|
|
The flaw was corrected by aborting immediately instead of unwinding the stack in case of panic within `MultiDecoder::read()`. The issue was discovered and fixed by Shnatsel.
|