Multiple memory safety issues in insert_row

When inserting rows from an iterator at a particular index, toodee would shift items over, duplicating their ownership. The space reserved for the new elements was based on the len returned by the ExactSizeIterator. This could result in elements in the array being freed twice if the iterator...

RUSTSEC-2021-0048 StackVec::extend can write out of bounds when size_hint is incorrect

StackVec::extend used the lower and upper bounds from an Iterator's sizehint to determine how many items to push into the stack based vector. If the sizehint implementation returned a lower bound that was larger than the upper bound, StackVec would write out of bounds and overwrite memory on the...

RUSTSEC-2021-0047 SliceDeque::drain_filter can double drop an element if the predicate panics

Affected versions of the crate incremented the current index of the drain filter iterator before calling the predicate function self.pred. If the predicate function panics, it is possible for the last element in the iterator to be dropped twice...

StackVec::extend can write out of bounds when size_hint is incorrect

StackVec::extend used the lower and upper bounds from an Iterator's sizehint to determine how many items to push into the stack based vector. If the sizehint implementation returned a lower bound that was larger than the upper bound, StackVec would write out of bounds and overwrite memory on the...

RUSTSEC-2021-0028 Multiple memory safety issues in insert_row

When inserting rows from an iterator at a particular index, toodee would shift items over, duplicating their ownership. The space reserved for the new elements was based on the len returned by the ExactSizeIterator. This could result in elements in the array being freed twice if the iterator...

move_elements can double-free objects on panic

Affected versions of scratchpad used ptr::read to read elements while calling a user provided function f on them. Since the pointer read duplicates ownership, a panic inside the user provided f function could cause a double free when unwinding. The flaw was fixed in commit 891561bea by removing t...

RUSTSEC-2021-0030 move_elements can double-free objects on panic

Affected versions of scratchpad used ptr::read to read elements while calling a user provided function f on them. Since the pointer read duplicates ownership, a panic inside the user provided f function could cause a double free when unwinding. The flaw was fixed in commit 891561bea by removing t...

insert_many can drop elements twice on panic

Affected versions of insertmany used ptr::copy to move over items in a vector to make space before inserting, duplicating their ownership. It then iterated over a provided Iterator to insert the new items. If the iterator's .next method panics then the vector would drop the same elements twice...

RUSTSEC-2021-0042 insert_many can drop elements twice on panic

Affected versions of insertmany used ptr::copy to move over items in a vector to make space before inserting, duplicating their ownership. It then iterated over a provided Iterator to insert the new items. If the iterator's .next method panics then the vector would drop the same elements twice...

Buffer overflow in SmallVec::insert_many

A bug in the SmallVec::insertmany method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap. This bug was only triggered if the iterator passed to insertmany yielded more items than the...

Design/Logic Flaw

An issue was discovered in the libpulse-binding crate before 2.5.0 for Rust. proplist::Iterator can cause a use-after-free...

DEBIAN-CVE-2020-35904

An issue was discovered in the crossbeam-channel crate before 0.4.4 for Rust. It has incorrect expectations about the relationship between the memory allocation and how many iterator elements there are...

CVE-2020-35904

An issue was discovered in the crossbeam-channel crate before 0.4.4 for Rust. It has incorrect expectations about the relationship between the memory allocation and how many iterator elements there are...

CVE-2020-35904

An issue was discovered in the crossbeam-channel crate before 0.4.4 for Rust. It has incorrect expectations about the relationship between the memory allocation and how many iterator elements there are...

UBUNTU-CVE-2020-35904

An issue was discovered in the crossbeam-channel crate before 0.4.4 for Rust. It has incorrect expectations about the relationship between the memory allocation and how many iterator elements there are...

Authentication flaw

An issue was discovered in the crossbeam-channel crate before 0.4.4 for Rust. It has incorrect expectations about the relationship between the memory allocation and how many iterator elements there are...

CVE-2020-35904

CVE-2020-35904 affects the Rust crate crossbeam-channel prior to version 0.4.4. The issue is an incorrect assumption about the relationship between memory allocation and the number of elements produced by an iterator, leading to unsound behavior when the Vec is reconstructed from a raw pointer ba...

CVE-2020-35904

An issue was discovered in the crossbeam-channel crate before 0.4.4 for Rust. It has incorrect expectations about the relationship between the memory allocation and how many iterator elements there are...

CVE-2020-35904

An issue was discovered in the crossbeam-channel crate before 0.4.4 for Rust. It has incorrect expectations about the relationship between the memory allocation and how many iterator elements there are...

php: DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access...