OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-04 10:40:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ca7b554f5babe416220eda5846f34cd2f2ca1237
advisory-db/crates/libflate/RUSTSEC-2019-0010.toml
Tony Arcieri 01ac6725d5 Fix all advisories to pass linter 
Mostly related to the `affected_functions` field, which has changed a
few times.
2019-09-09 12:19:01 -07:00

20 lines
1.1 KiB
TOML
Raw Blame History

[advisory]
id = "RUSTSEC-2019-0010"
package = "libflate"
date = "2019-07-04"
title = "MultiDecoder::read() drops uninitialized memory of arbitrary type on panic in client code"
description = """
Affected versions of libflate have set a field of an internal structure with a generic type to an uninitialized value in `MultiDecoder::read()` and reverted it to the original value after the function completed. However, execution of `MultiDecoder::read()` could be interrupted by a panic in caller-supplied `Read` implementation. This would cause `drop()` to be called on uninitialized memory of a generic type implementing `Read`.
This is equivalent to a use-after-free vulnerability and could allow an attacker to gain arbitrary code execution.
The flaw was corrected by aborting immediately instead of unwinding the stack in case of panic within `MultiDecoder::read()`. The issue was discovered and fixed by Shnatsel.
"""
patched_versions = [">= 0.1.25"]
unaffected_versions = ["< 0.1.14"]
url = "https://github.com/sile/libflate/issues/35"
keywords = ["drop", "use-after-free"]
[affected.functions]
"libflate::gzip::MultiDecoder::read" = ["< 0.1.25, >= 0.1.14"]
Reference in New Issue View Git Blame Copy Permalink