mirror of
https://github.com/OMGeeky/advisory-db.git
synced 2026-02-23 15:38:27 +01:00
64c17acfe3
As announced in #228, this commit migrates all advisories to the new V2 format, which splits version information into a separate section, and now has a structure which corresponds to the internal code structure of the `rustsec` crate. This is a breaking change for users of `cargo-audit` < 0.9, and anyone who has written a 3rd party advisory format parser.
28 lines
1.1 KiB
TOML
28 lines
1.1 KiB
TOML
[advisory]
|
|
id = "RUSTSEC-2019-0002"
|
|
package = "slice-deque"
|
|
date = "2019-05-07"
|
|
title = "Bug in SliceDeque::move_head_unchecked corrupts its memory"
|
|
url = "https://github.com/gnzlbg/slice_deque/issues/57"
|
|
keywords = ["memory-corruption", "rce"]
|
|
references = ["RUSTSEC-2018-0008"]
|
|
description = """
|
|
Affected versions of this crate entered a corrupted state if
|
|
`mem::size_of::<T>() % allocation_granularity() != 0` and a specific allocation
|
|
pattern was used: sufficiently shifting the deque elements over the mirrored
|
|
page boundary.
|
|
|
|
This allows an attacker that controls controls both element insertion and
|
|
removal to corrupt the deque, such that reading elements from it would read
|
|
bytes corresponding to other elements in the deque. (e.g. a read of T could read
|
|
some bytes from one value and some bytes from an adjacent one, resulting in a T
|
|
whose value representation is not meaningful). This is undefined behavior.
|
|
|
|
The flaw was corrected by using a pair of pointers to track the head and tail of
|
|
the deque instead of a pair of indices. This pair of pointers are represented
|
|
using a Rust slice.
|
|
"""
|
|
|
|
[versions]
|
|
patched = [">= 0.2.0"]
|