1141 matches found
Data leakage between instances in the pooling allocator
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-wh6w-3828-g9qf. For more information see the GitHub-hosted security advisory...
Out of bounds read/write with zero-memory-pages configuration
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-44mr-8vmm-wjhg. For more information see the GitHub-hosted security advisory...
X.509 Email Address 4-byte Buffer Overflow
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate...
X.509 Email Address Variable Length Buffer Overflow
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate...
ELF header parsing library doesn't check for valid offset
The crate has several unsafe sections that don't perform proper pointer validation. An example can be found in the following function: fn sectionheaderraw&self - &ET::SectionHeader let shoff = self.elfheader.sectionheaderoffset as usize; let shnum = self.elfheader.sectionheaderentrynum as usize;...
Denial of Service from unchecked request length
Prior to version 0.4.2, conduit-hyper did not check any limit on a request's length before calling hyper::body::tobytes. An attacker could send a malicious request with an abnormally large Content-Length, which could lead to a panic if memory allocation failed for that request. In version 0.4.2,...
evm incorrect state transition
SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the isstatic parameter to determine if the call is executed in a static context via STATICCALL, and thus decide if stateful operations should be done. Prior to version 0.36.0, th...
matrix-sdk 0.6.0 logs access tokens
When sending Matrix requests using an affected version of matrix-sdk in an application that writes logs using tracing-subscriber in a way that includes fields of tracing spans such as tracingsubscribers default text output from the fmt module, these logs will contain the user's access token...
Invalid use of `mem::uninitialized` causes `use-of-uninitialized-value`
The compression and decompression function used mem:uninitialized to create an array of uninitialized values, to later write values into it. This later leads to reads from uninitialized memory. The flaw was corrected in commit b633bf265e41c60dfce3be7eac4e4dd5e18d06cf by using a heap-allocated Vec...
orbtk is Unmaintained
The orbtk crate is no longer maintained. Alternatives proposed by the authors: iced slint...
Using a Custom Cipher with `NID_undef` may lead to NULL encryption
OpenSSL supports creating a custom cipher via the legacy EVPCIPHERmethnew function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0...
Slack Webhooks secrets leak in debug logs
Debug log formatting made it possible to leak Webhooks secrets into debug logs. The patched version has introduced more strict checks to avoid this...
Crate `parity-wasm` deprecated by the author
This PR explicitly deprecates parity-wasm. The author recommends switching to wasm-tools...
matrix-sdk Impersonation of room keys
When the user receives a forwarded room key, the software accepts it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack...
Library exclusively intended to inject UB into safe Rust.
Quoting from the crate description: This crate is created purely to inject undefined behavior into stable, safe rust. Specifically, the inconceivable! macro is insta-UB if the ubinconceivable feature is enabled by any reverse dependency. The value this adds is questionable, and hides unsafe code...
`tauri` filesystem scope partial bypass
A bug identified in this issue allows a partial filesystem scope bypass if glob characters are used within file dialog or drag-and-drop functionalities. This PR fixes the issue by escaping glob characters...
Multiple vulnerabilities resulting in out-of-bounds writes
The heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than 3 sizeof:: because of metadata write operations. When calling Heap::extend with a size smaller than two...
badge is Unmaintained
The maintainer has advised this crate is deprecated and will not receive any maintenance. The crate depends on the deprecated rusttype crate and won't receive updates anymore. Possible Alternatives The below list has not been vetted in any way and may or may not contain alternatives; - badge-make...
No default limit put on request bodies
::fromrequest would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large or infinite body your server might run out of memory and crash. This also applies to these extractors which used Bytes::fromrequest internally: -...
`os_socketaddr` invalidly assumes the memory layout of std::net::SocketAddr
The ossocketaddr crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. These layout were changed into idiomatic rust...
Memory corruption in liblz4
lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to CVE-2021-3520. Attackers could craft a payload that triggers an integer overflow upon decompression, causing an out-of-bounds write. The flaw has been corrected in version v1.9.4 of liblz4, which is included in lz4-sys 1.9.4...
mapr is Unmaintained
The mapr fork has been merged back into upstream fork memmap2. The maintainers have advised mapr is deprecated and will not receive any maintenance in favor of using memmap2. Possible Alternatives The below list has not been vetted in any way and may or may not contain alternatives; - memmap2...
Use after free in MacOS / iOS implementation
In iana-time-zone v0.1.43 a use-after-free bug in the MacOS / iOS implementation was introduced. The copied system time zone was released before its name was copied. If the system time zone was changed between the call of CFRelease and str::toowned, random memory would be copied...
`tauri`'s `readDir` endpoint allows possible enumeration outside of filesystem scope
It is possible for readDir to incorrectly enumerate files from a symlinked directory if called recursively when specifying an empty string for the dir parameter as outlined in this issue. This is corrected in this PR by checking if a directory is a symlink before reading from it...
Interledger is Unmaintained
Interledger family of crates is not being actively maintained anymore. The owner of the published crate does not appear to be responsive. There is an outstanding concern around username comparison. This concern may or may not be resolved by bumping up the dependencies of the project...
`libsqlite3-sys` via C SQLite CVE-2022-35737
It was sometimes possible for SQLite versions = 1.0.12, 3.39.2 to allow an array-bounds overflow when large string were input into SQLite's printf function. As libsqlite3-sys bundles SQLite, it is susceptible to the vulnerability. libsqlite3-sys was updated to bundle the patched version of SQLite...
Unbounded memory allocation based on untrusted length
Impact Untrusted websocket connections can cause an out-of-memory OOM process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would allocate a buffer based on the declared dataframe size, which may come from an untrusted source. When...
Post-Quantum Key Encapsulation Mechanism SIKE broken
Wouter Castryck and Thomas Decru presented an efficient key recovery attack on the SIDH protocol. As a result, the secret key of SIKEp751 can be recovered in a matter of hours. The SIKE and SIDH schemes will be removed from oqs 0.7.2. The affected schemes are the oqs::kem::Algorithm::Sike and...
Denial of service on deeply nested fragment requests
Deeply nested fragments in a GraphQL request may cause a stack overflow in the server...
Safety issues in `pkcs11`
Impact The interface of pkcs11 is subject to a number of safety issues, mainly related to handling of raw pointers. Despite presenting a safe interface, many of the functions and methods that rely on inputs which contain pointers attributes and mechanisms in particular can lead to segmentation...
Slack OAuth Secrets leak in debug logs
Debug log formatting made it possible to leak OAuth secrets into debug logs. The patched version has introduced more strict checks to avoid this...
Denial of service on deeply nested fragment requests
Deeply nested fragments in a GraphQL request may cause a stack overflow in the server...
libp2p Lack of resource management DoS
libp2p allows a potential attacker to cause victim p2p node to run out of memory The out of memory failure can cause crashes where libp2p is intended to be used within large scale networks leading to potential Denial of Service DoS vector Users should upgrade or reference the DoS mitigation...
Use After Free with `externref`s in Wasmtime
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-5fhj-g3p3-pq9g. For more information see the GitHub-hosted security advisory...
Heap memory corruption with RSA private key operation
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X8664 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a...
AES OCB fails to encrypt some bytes
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption...
Miscompilation of constant values in division on AArch64
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7f6x-jwh5-m9r4. For more information see the GitHub-hosted security advisory...
Miscompilation of `i8x16.swizzle` and `select` with v128 inputs
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jqwc-c49r-4w2x. For more information see the GitHub-hosted security advisory...
clipboard is Unmaintained
Last release was almost 4 years ago and the repository with outstanding issues and pull requests seems to be abandoned by the maintainer. In addition the sole maintainer account may be abandoned that may represent account takeover risk. Current outstanding issues include vulnerable dependencies...
Double Public Key Signing Function Oracle Attack on `ed25519-dalek`
Versions of ed25519-dalek prior to v2.0 model private and public keys as separate types which can be assembled into a Keypair, and also provide APIs for serializing and deserializing 64-byte private/public keypairs. Such APIs and serializations are inherently unsafe as the public key is one of th...
`MsQueue` `push`/`pop` use the wrong orderings
Affected versions of this crate use orderings which are too weak to support this data structure. It is likely this has caused memory corruption in the wild:...
Use after free in Neon external buffers
Neon provides functionality for creating JavaScript ArrayBuffer and the Buffer subtype instances backed by bytes allocated outside of V8/Node. The JsArrayBuffer::external and JsBuffer::external did not require T: 'static prior to Neon 0.10.1. This allowed creating an externally backed buffer from...
Panic due to improper UTF-8 indexing
When parsing untrusted rulex expressions, rulex may panic, possibly enabling a Denial of Service attack. This happens when the expression contains a multi- byte UTF-8 code point in a string literal or after a backslash, because rulex tries to slice into the code point and panics as a result. The...
Stack overflow during recursive expression parsing
When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort immediately. The flaw was corrected in commits 60aa2dc03a by adding a check ...
Out-of-bounds read when opening multiple column families with TTL
Affected versions of this crate called the RocksDB C API rocksdbopencolumnfamilieswithttl with a pointer to a single integer TTL value, but one TTL value for each column family is expected. This is only relevant when using rocksdb::DBWithThreadMode::opencfdescriptorswithttl with multiple column...
double-checked-cell is unmaintained
The author recommends switching to oncecell, which offers a superset of the functionality...
`static_type_map` has been renamed to `erased_set`
Please use the erasedset crate going forward: There will be no further releases of statictypemap...
wee_alloc is Unmaintained
Two of the maintainers have indicated that the crate may not be maintained. The crate has open issues including memory leaks and may not be suitable for production use. It may be best to switch to the default Rust standard allocator on wasm32 targets. Last release seems to have been three years...
`SegQueue` creates zero value of any type
Affected versions of this crate called mem::zeroed to create values of a user-supplied type T. This is unsound e.g. if T is a reference type which must be non-null. The flaw was corrected by avoiding the use of mem::zeroed, using MaybeUninit instead...
`SegQueue` creates zero value of any type
Affected versions of this crate called mem::zeroed to create values of a user-supplied type T. This is unsound e.g. if T is a reference type which must be non-null. The flaw was corrected by avoiding the use of mem::zeroed, using MaybeUninit instead...