1141 matches found
VecStorage Deserialize Allows Violation of Length Invariant
The Deserialize implementation for VecStorage did not maintain the invariant that the number of elements must equal nrows ncols. Deserialization of specially crafted inputs could allow memory access beyond allocation of the vector. This flaw was introduced in v0.11.0 086e6e due to the addition of...
`mopa` is technically unsound
The mopa crate redefines the deprecated TraitObject struct from core::raw like so: rust reprC deriveCopy, Clone dochidden pub struct TraitObject pub data: mut , pub vtable: mut , This is done to then transmute a reference to a trait object &dyn Trait for any trait Trait into this struct and...
File exposure in pleaser
pleaser before 0.4 allows a local unprivileged attacker to gain knowledge about the existence of files or directories in privileged locations via the searchpath function, the --check option, or the -d option...
Permissions bypass in pleaser
Failure to normalize the umask in pleaser before 0.4 allows a local attacker to gain full root privileges if they are allowed to execute at least one command...
Permissions bypass in pleaser
pleaseedit in pleaser before 0.4 uses predictable temporary filenames in /tmp and the target directory. This allows a local attacker to gain full root privileges by staging a symlink attack...
SMTP command injection in body
Affected versions of lettre allowed SMTP command injection through an attacker's controlled message body. The module for escaping lines starting with a period wouldn't catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary...
Memory access due to code generation flaw in Cranelift module
There is a bug in 0.73.0 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a WebAssembly module. Users of versions 0.73.0 of Cranelift should upgrade to either 0.73.1 or 0.74 to remediate this vulnerability. Users of Cranelift prior to 0.73...
Crate `twoway` deprecated by the author
The commit e99b3c7 releasing version 0.2.2 explicitly deprecates twoway in favour of memchr crate...
Soundness issue in `iced-x86` versions <= 1.10.3
Versions of iced-x86...
Denial of service on EVM execution due to memory over-allocation
Prior to the patch, when executing specific EVM opcodes related to memory operations that use evmcore::Memory::copylarge, the crate can over-allocate memory when it is not needed, making it possible for an attacker to perform denial-of-service attack. The flaw was corrected in commit 19ade85...
anymap is unmaintained.
The anymap crate does not appear to be maintained, and the most recent published version 0.12.1 includes a soundness bug. This has been fixed a few years ago, but was never released...
`cpuid-bool` has been renamed to `cpufeatures`
Please use the cpufeatures crate going forward: There will be no further releases of cpuid-bool...
XSS in `comrak`
comrak operates by default in a "safe" mode of operation where unsafe content, such as arbitrary raw HTML or URLs with non-standard schemes, are not permitted in the output. This is per the reference GFM implementation, cmark-gfm. Ampersands were not being correctly escaped in link targets, makin...
Null pointer deref in `X509_issuer_and_serial_hash()`
The OpenSSL public API function X509issuerandserialhash attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field which might occur if the...
Integer overflow in CipherUpdate
Calls to EVPCipherUpdate, EVPEncryptUpdate and EVPDecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 indicating succes...
NULL pointer deref in signature_algorithms processing
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signaturealgorithms extension where it was present in the initial ClientHello, but includes a signaturealgorithmscert extension then a NU...
CA certificate check bypass with X509_V_FLAG_X509_STRICT
The X509VFLAGX509STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an...
`aesni` has been merged into the `aes` crate
Please use the aes crate going forward. The new repository location is at: AES-NI is now autodetected at runtime on i686/x86-64 platforms. If AES-NI is not present, the aes crate will fallback to a constant-time portable software implementation. To prevent this fallback and have absence of AES-NI...
`aes-ctr` has been merged into the `aes` crate
Please use the aes crate going forward. The new repository location is at: The aes crate now has an optional ctr feature which autodetects SIMD features on i686/x86-64 targets and uses them if available, or otherwise falls back to the implementation in the ctr crate. If you would prefer not to ha...
`aes-soft` has been merged into the `aes` crate
Please use the aes crate going forward. The new repository location is at: AES-NI is now autodetected at runtime on i686/x86-64 platforms. If AES-NI is not present, the aes crate will fallback to a constant-time portable software implementation. To force the use of a constant-time portable...
Archives may contain uninitialized memory
rkyv is a serialization framework that writes struct-compatible memory to be stored or transmitted. During serialization, struct padding bytes and unused enum bytes may not be initialized. These bytes may be written to disk or sent over unsecured channels...
AtomicBucket<T> unconditionally implements Send/Sync
In the affected versions of the crate, AtomicBucket unconditionally implements Send/Sync traits. Therefore, users can create a data race to the inner T: !Sync by using the AtomicBucket::datawith API. Such data races can potentially cause memory corruption or other undefined behavior. The flaw was...
`sass-rs` has been deprecated
The sass-rs crate is not maintained anymore as libsass is deprecated. Consider using https://github.com/connorskees/grass or https://github.com/kaj/rsass instead. Author's recommendation...
rusttype is Unmaintained
The maintainer has advised this crate is deprecated and will not receive any maintenance. The maintainer has further advised to migrate over to abglyph. Last release seems to have been over two years ago. Possible Alternatives The below list has not been vetted in any way and may or may not conta...
Denial of service through parsing payloads with too big exponent
The parseduration::parse function allows for parsing duration strings with exponents like 5e5s where under the hood, the BigInt type along with the pow function are used for such payloads. Passing an arbitrarily big exponent makes the parseduration::parse function to process the payload for a ver...
'merge_sort::merge()' crashes with double-free for `T: Drop`
In the affected versions of this crate, mergesort::merge wildly duplicates and drops ownership of T without guarding against double-free. Due to such implementation, simply invoking mergesort::merge on Vec can cause double free bugs...
Multiple memory safety issues
Affected versions contain multiple memory safety issues, such as: - Setting a multi label type where an image doesn't exist would lead to a NULL pointer dereference. - Setting a window icon using a non-raster image which FLTK rasterizes lazily would lead to a NULL dereference. - Pixmap constructo...
Fix a use-after-free bug in diesels Sqlite backend
We've misused sqlite3columnname. The SQLite documentation states that the following: The returned string pointer is valid until either the prepared statement is destroyed by sqlite3finalize or until the statement is automatically reprepared by the first call to sqlite3step for a particular run or...
`quinn` invalidly assumes the memory layout of std::net::SocketAddr
The quinn crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. The standard library does not say anything about the...
Intern<T>: Data race allowed on T
Affected versions of this crate unconditionally implements Sync for Intern. This allows users to create data race on T: !Sync, which may lead to undefined behavior for example, memory corruption. The flaw was corrected in commit 2928a87 by adding the trait bound T: Sync in the Sync impl of Intern...
Deserializing an array can drop uninitialized memory on panic
The readbytesdefaultle function for T; n arrays, used to deserialize arrays of T from bytes created a T; n array with std::mem::uninitialized and then called T's deserialization method. If T's deserialization method panicked, the uninitialized memory could drop invalid objects. This flaw was...
project abandoned; migrate to the `aes-siv` crate
The Miscreant project has been abandoned and archived. The Rust implementation has been adapted into the new aes-siv crate which implements both the AES-CMAC-SIV and AES-PMAC-SIV constructions: Please migrate to the aes-siv crate. Alternatively see the aes-gcm-siv crate for a newer, faster...
Multiple functions can cause double-frees
The following functions in the crate are affected: IdMap::clonefrom The clonefrom implementation for IdMap drops the values present in the map and then begins cloning values from the other map. If a .clone call pancics, then the afformentioned dropped elements can be freed again. getorinsert...
swap_index can write out of bounds and return uninitialized memory
swapindex takes an iterator and swaps the items with their corresponding indexes. It reserves capacity and sets the length of the vector based on the .len method of the iterator. If the len returned by the iterator is larger than the actual number of elements yielded, then swapindex creates a...
push_cloned can drop uninitialized memory or double free on panic
Affected versions of stackdst used a pushinner function that increased the internal length of the array and then called val.clone. If the val.clone call panics, the stack could drop an already dropped element or drop uninitialized memory. This issue was fixed in 2a4d538 by increasing the length o...
XSS in `comrak`
The comrak we were matching unsafe URL prefixes, such as data: or javascript: , in a case-sensitive manner. This meant prefixes like Data: were untouched...
Multiple memory safety issues in insert_row
When inserting rows from an iterator at a particular index, toodee would shift items over, duplicating their ownership. The space reserved for the new elements was based on the len returned by the ExactSizeIterator. This could result in elements in the array being freed twice if the iterator...
StackVec::extend can write out of bounds when size_hint is incorrect
StackVec::extend used the lower and upper bounds from an Iterator's sizehint to determine how many items to push into the stack based vector. If the sizehint implementation returned a lower bound that was larger than the upper bound, StackVec would write out of bounds and overwrite memory on the...
SliceDeque::drain_filter can double drop an element if the predicate panics
Affected versions of the crate incremented the current index of the drain filter iterator before calling the predicate function self.pred. If the predicate function panics, it is possible for the last element in the iterator to be dropped twice...
move_elements can double-free objects on panic
Affected versions of scratchpad used ptr::read to read elements while calling a user provided function f on them. Since the pointer read duplicates ownership, a panic inside the user provided f function could cause a double free when unwinding. The flaw was fixed in commit 891561bea by removing t...
`through` and `through_and` causes a double free if the map function panics
through and throughand take a mutable reference as well as a mapping function to change the provided reference. They do this by calling ptr::read on the reference which duplicates ownership and then calling the mapping function. If the mapping function panics, both the original object and the one...
misc::vec_with_size() can drop uninitialized memory if clone panics
misc::vecwithsize creates a vector of the provided size and immediately calls vec.setlensize on it, initially filling it with uninitialized memory. It then inserts elements using veci = value.clone. If the value.clone call panics, uninitialized items in the vector will be dropped leading to...
Tape::take_bytes exposes uninitialized memory to a user-provided Read
Affected versions of this crate passed an unininitialized buffer to a user-provided Read instance in Tape::takebytes. This can result in safe Read implementations reading from the uninitialized buffer leading to undefined behavior. The flaw was corrected in commit 1f2dc7f37dd by removing the unsa...
PartialReader passes uninitialized memory to user-provided Read
Affected versions of this crate passed an uniniitalized buffer to a user-provided Read instance in PartialReader::read. This can result in safe Read implementations reading from the uninitialized buffer leading to undefined behavior. The flaw was fixed in commit 39d62c6 by zero-initializing the...
`Read` on uninitialized buffer may cause UB ('tectonic_xdv' crate)
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory...
crate has been renamed to `qjsonrpc`
This crate has been renamed from jsonrpc-quic to qjsonrpc. The new repository location is:...
crate has been renamed to `sn_api`
This crate has been renamed from safe-api to snapi. The new repository location is:...
`nb-connect` invalidly assumes the memory layout of std::net::SocketAddr
The nb-connect crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. The standard library does not say anything about...
Incorrect check on buffer length when seeding RNGs
Summary: randcore::le::readu32into and readu64into have incorrect checks on the source buffer length, allowing the destination buffer to be under-filled. Implications: some downstream RNGs, including Hc128Rng but not the more widely used ChaChaRng, allow seeding using the SeedableRng::fromseed...
Use-after-free in `subscript_next` and `subscript_prev` wrappers
Affected versions of this crate had an unsound implementation which could pass a pointer to freed memory to ydbsubscriptnextst and ydbsubscriptprevst if the variable and subscripts did not have enough memory allocated on the first call to hold the next variable in the database. For example, the...