OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-15 22:04:38 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
b40bd2ae822ca05d84ef0bfad0fdd71a8a15883a
advisory-db/crates/flatbuffers/RUSTSEC-2021-0122.md
Alexis Mousset 84c633df9c Update aliases from GHSA OSV export (#1693)
2023-06-13 15:10:24 +02:00

29 lines
1.2 KiB
Markdown
Raw Blame History

```toml
[advisory]
id = "RUSTSEC-2021-0122"
package = "flatbuffers"
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
date = "2021-10-31"
url = "https://github.com/google/flatbuffers/issues/6627"
aliases = ["GHSA-3jch-9qgp-4844"]
[versions]
patched = [">= 22.9.29"]
```
# Generated code can read and write out of bounds in safe code
Code generated by flatbuffers' compiler is `unsafe` but not marked as such.
See https://github.com/google/flatbuffers/issues/6627 for details.
For example, if generated code is used to decode malformed or untrusted input,
undefined behavior (and thus security vulnerabilities) is possible even without
the use of the `unsafe` keyword, [violating the the meaning of "safe"](https://doc.rust-lang.org/std/keyword.unsafe.html#the-different-meanings-of-unsafe) code;
All users that use generated code by `flatbuffers` compiler are recommended to:
1. not expose flatbuffer generated code as part of their public APIs
2. audit their code and look for any usage of `follow`, `push`, or any method that uses them
(e.g. `self_follow`).
3. Carefully go through the crates' documentation to understand which "safe" APIs are not
intended to be used.
Reference in New Issue View Git Blame Copy Permalink