OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-23 20:05:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ca7b554f5babe416220eda5846f34cd2f2ca1237
advisory-db/crates/image/RUSTSEC-2019-0014.toml
Tony Arcieri 01ac6725d5 Fix all advisories to pass linter 
Mostly related to the `affected_functions` field, which has changed a
few times.
2019-09-09 12:19:01 -07:00

30 lines
1.2 KiB
TOML
Raw Blame History

[advisory]
id = "RUSTSEC-2019-0014"
package = "image"
date = "2019-08-21"
title = "Flaw in interface may drop uninitialized instance of arbitrary types"
description = """
Affected versions of this crate would call `Vec::set_len` on an uninitialized
vector with user-provided type parameter, in an interface of the HDR image
format decoder. They would then also call other code that could panic before
initializing all instances.
This could run Drop implementations on uninitialized types, equivalent to
use-after-free, and allow an attacker arbitrary code execution.
Two different fixes were applied. It is possible to conserve the interface by
ensuring proper initialization before calling `Vec::set_len`. Drop is no longer
called in case of panic, though.
Starting from version `0.22`, a breaking change to the interface requires
callers to pre-allocate the output buffer and pass a mutable slice instead,
avoiding all unsafe code.
"""
patched_versions = [">= 0.21.3"]
unaffected_versions = ["< 0.10.2"]
url = "https://github.com/image-rs/image/pull/985"
keywords = ["drop", "use-after-free"]
[affected.functions]
"image::hdr::HDRDecoder::read_image_transform" = ["< 0.21.3, >= 0.10.2"]
Reference in New Issue View Git Blame Copy Permalink