OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-23 15:38:27 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
cda5b3ffd4b0cec5fa20f290e45297ee3f1999ee
advisory-db/crates/diesel/RUSTSEC-2021-0037.md
Yechan Bae cda5b3ffd4 Update CVE numbers (#828)
2021-03-19 14:21:58 -07:00

1.1 KiB
Raw Blame History 

[advisory]
id = "RUSTSEC-2021-0037"
package = "diesel"
aliases = ["CVE-2021-28305"]
date = "2021-03-05"
url = "https://github.com/diesel-rs/diesel/pull/2663"
categories = ["memory-corruption"]
keywords = ["use after free"]

[affected]
functions = { "diesel::SqliteConnection::query_by_name" = ["< 1.4.6"] }
[versions]
patched = [">= 1.4.6"]

Fix a use-after-free bug in diesels Sqlite backend

We've misused sqlite3_column_name. The SQLite documentation states that the following:

The returned string pointer is valid until either the prepared statement is destroyed by sqlite3_finalize() or until the statement is automatically reprepared by the first call to sqlite3_step() for a particular run or until the next call to sqlite3_column_name() or sqlite3_column_name16() on the same column.

As part of our query_by_name infrastructure we've first received all field names for the prepared statement and stored them as string slices for later use. After that we called sqlite3_step() for the first time, which invalids the pointer and therefore the stored string slice.