OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-03 18:15:23 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
d8701fad2d40aeca8e8564692f14a8d7c30a5136
advisory-db/crates/libpulse-binding/RUSTSEC-2018-0020.md
Alexander Kjäll f494f83f8e add missing cve info to advisories (#1077) 
looks like RUSTSEC-2020-0036 might be a special case, someone got a cve for that the crate is unmaintained
2021-10-14 21:53:11 +02:00

1001 B
Raw Blame History 

[advisory]
id = "RUSTSEC-2018-0020"
package = "libpulse-binding"
date = "2018-12-22"
url = "https://github.com/advisories/GHSA-6gvc-4jvj-pwq4"
categories = ["memory-corruption"]
aliases = ["GHSA-6gvc-4jvj-pwq4", "CVE-2018-25001"]

[versions]
patched = [">= 2.5.0"]
unaffected = ["< 1.0.5"]

Possible use-after-free with proplist::Iterator

Affected versions contained a possible use-after-free issue with property list iteration due to a lack of a lifetime constraint tying the lifetime of a proplist::Iterator to the Proplist object for which it was created. This made it possible for users, without experiencing a compiler error/warning, to destroy the Proplist object before the iterator, thus destroying the underlying C object the iterator works upon, before the iterator may be finished with it.

This impacts all versions of the crate before 2.5.0 back to 1.0.5. Before version 1.0.5 the function that produces the iterator was broken to the point of being useless.