advisory-db/crates/raw-cpuid/RUSTSEC-2021-0089.md

[advisory]
id = "RUSTSEC-2021-0089"
package = "raw-cpuid"
date = "2021-01-20"
url = "https://github.com/gz/rust-cpuid/issues/43"
categories = ["memory-corruption", "denial-of-service"]

[versions]
patched = [">= 9.1.1"]
unaffected = ["<= 3.1.0"]

Optional Deserialize implementations lacking validation

When activating the non-default feature serialize, most structs implement serde::Deserialize without sufficient validation. This allows breaking invariants in safe code, leading to:

• Undefined behavior in as_string() methods (which use std::str::from_utf8_unchecked() internally).
• Panics due to failed assertions.

See https://github.com/gz/rust-cpuid/issues/43.