mirror of
https://github.com/OMGeeky/advisory-db.git
synced 2026-01-22 03:18:11 +01:00
64c17acfe3
As announced in #228, this commit migrates all advisories to the new V2 format, which splits version information into a separate section, and now has a structure which corresponds to the internal code structure of the `rustsec` crate. This is a breaking change for users of `cargo-audit` < 0.9, and anyone who has written a 3rd party advisory format parser.
26 lines
1.3 KiB
TOML
26 lines
1.3 KiB
TOML
[advisory]
|
|
id = "RUSTSEC-2019-0023"
|
|
package = "string-interner"
|
|
date = "2019-08-24"
|
|
title = "Cloned interners may read already dropped strings"
|
|
url = "https://github.com/Robbepop/string-interner/issues/9"
|
|
keywords = ["use after free"]
|
|
description = """
|
|
Affected versions of this crate did not clone contained strings when an interner is cloned.
|
|
Interners have raw pointers to the contained strings, and they keep pointing the strings which the old interner owns, after the interner is cloned.
|
|
If a new cloned interner is alive and the old original interner is dead, the new interner has dangling pointers to the old interner's storage, which is already dropped.
|
|
|
|
This allows an attacker to read the already freed memory.
|
|
The dangling pointers are used by the interners to check a string is already interned.
|
|
An attacker can do brute force attack to get the data pointed by the dangling pointer.
|
|
|
|
The flaw was corrected by <https://github.com/Robbepop/string-interner/pull/10>.
|
|
This patch implements `Clone` manually to the interner type, so that the internal raw pointers always point the strings owned by the same interner.
|
|
|
|
PR #10 was also backported to the 0.6 release line in
|
|
<https://github.com/Robbepop/string-interner/pull/14> and was released in 0.6.4.
|
|
"""
|
|
|
|
[versions]
|
|
patched = ["^0.6.4", ">= 0.7.1"]
|