1141 matches found
Use after free possible in `uri::Formatter` on panic
Affected versions of this crate transmuted a &str to a &'static str before pushing it into a StackVec, this value was then popped later in the same function. This was assumed to be safe because the reference would be valid while the method's stack was active. In between the push and the pop,...
Multiple Transfer-Encoding headers misinterprets request payload
hyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can...
office is unmaintained, use calamine instead
The office crate is unmaintained. Use calamine for reading excel files. Contact the office author for ownership of the package name...
Multiple soundness issues
Calls std::str::fromutf8unchecked without any checks The function xcb::xproto::GetAtomNameReply::name calls std::str::fromutf8unchecked on the raw bytes that were received from the X11 server without any validity checks. The X11 server only prevents interior null bytes, but otherwise allows any X...
Window can read out of bounds if Read instance returns more bytes than buffer size
rdiff performs a diff of two provided strings or files. As part of its reading code it uses the return value of a Read instance to set the length of its internal character vector. If the Read implementation claims that it has read more bytes than the length of the provided buffer, the length of t...
insert_slice_clone can double drop if Clone panics.
Affected versions of this crate used ptr::copy when inserting into the middle of a Vec. When ownership was temporarily duplicated during this copy, it calls the clone method of a user provided element. This issue can result in an element being double-freed if the clone call panics. Commit 20cb73d...
KeyValueReader passes uninitialized memory to Read instance
The KeyValueReader type in affected versions of this crate set up an uninitialized memory buffer and passed them to be read in to a user-provided Read instance. The Read instance could read uninitialized memory and cause undefined behavior and miscompilations. This issue was fixed in commit dd59b...
split_at allows obtaining multiple mutable references to the same data
Affected versions of this crate assumed that Borrow was guaranteed to return the same value on .borrow. The borrowed index value was used to retrieve a mutable reference to a value. If the Borrow implementation returned a different index, the split arena would allow retrieving the index as a...
`Read` on uninitialized buffer may cause UB (`impl Walue for Vec<u8>`)
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory...
nphysics2d is unmaintained
The maintainer has advised that this crate is passively-maintained and that it is being superseded by the Rapier project...
ncollide3d is unmaintained
The maintainer has advised that this crate is passively-maintained and that it is being superseded by the Parry project...
nphysics3d is unmaintained
The maintainer has advised that this crate is passively-maintained and that it is being superseded by the Rapier project...
ncollide2d is unmaintained
The maintainer has advised that this crate is passively-maintained and that it is being superseded by the Parry project...
Record::read : Custom `Read` on uninitialized buffer may cause UB
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Record::read Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading from uninitialized...
`IoReader::read()`: user-provided `Read` on uninitialized buffer may cause UB
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory...
Deserialization functions pass uninitialized memory to user-provided Read
Affected versions of this crate passed an uninitialized buffer to a user-provided Read instance in: deserializebinary deserializestring deserializeextensionothers deserializestringprimitive This can result in safe Read implementations reading from the uninitialized buffer leading to undefined...
insert_many can drop elements twice on panic
Affected versions of insertmany used ptr::copy to move over items in a vector to make space before inserting, duplicating their ownership. It then iterated over a provided Iterator to insert the new items. If the iterator's .next method panics then the vector would drop the same elements twice...
Improper validation of Windows paths could lead to directory traversal attack
towerhttp::services::fs::ServeDir didn't correctly validate Windows paths meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem. This only...
Soundness issues in `raw-cpuid`
Undefined behavior in asstring methods VendorInfo::asstring, SoCVendorBrand::asstring, and ExtendedFunctionInfo::processorbrandstring construct byte slices using std::slice::fromrawparts, with data coming from reprRust structs. This is always undefined behavior. See...
`out_reference::Out::from_raw` should be `unsafe`
Out::fromraw in affected versions allows writing a value to invalid memory address without requiring unsafe. The soundness issue has been addressed by making Out::fromraw an unsafe function...
QueryInterface should call AddRef before returning pointer
Affected version of this crate, which is a required dependency in com-impl, provides a faulty implementation of the IUnknown::QueryInterface method. QueryInterface implementation must call IUnknown::AddRef before returning the pointer, as describe in this documentation: As it is not incrementing...
Optional `Deserialize` implementations lacking validation
When activating the non-default feature serialize, most structs implement serde::Deserialize without sufficient validation. This allows breaking invariants in safe code, leading to: Undefined behavior in asstring methods which use std::str::fromutf8unchecked internally. Panics due to failed...
Missing Send bound for Lazy
All current versions of this crate allow causing data races in safe code. The flaw will be fixed in the next release...
panic safety: double drop or uninitialized drop of T upon panic
Affected versions of this crate did not guard against potential panics that may happen from user-provided functions T::default and T::drop. Panic within T::default leads to dropping uninitialized T, when it is invoked from common::Slice::::new. Panic within T::drop leads to double drop of T, when...
panic safety: double drop may happen within `util::{mutate, mutate2}`
Upon panic in a user-provided function f, fn mutate & fn mutate2 drops twice a same object. Affected versions of this crate did not guard against double drop while temporarily duplicating an object's ownership with ptr::read. Dropping a same object can result in memory corruption. The flaw was...
FromIterator implementation for Vector/Matrix can drop uninitialized memory
The FromIterator methods for Vector and Matrix rely on the type parameter N to allocate space in the iterable. If the passed in N type parameter is larger than the number of items returned by the iterator, it can lead to uninitialized memory being left in the Vector or Matrix type which gets...
Double drop upon panic in 'fn map_array()'
Affected versions of this crate did not guard against panic within the user-provided function f 2nd parameter of fn maparray, and thus panic within f causes double drop of a single object. The flaw was corrected in the 0.4.0 release by wrapping the object vulnerable to a double drop within...
panic safety issue in `impl TransformContent<S, D> for [S; (2|3|4)]`
Affected versions of this crate did not guard against double drop while temporarily duplicating objects' ownership using ptr::read. Upon panic in a user-provided function conversion, objects that are copied by ptr::read are dropped twice, leading to memory corruption. The flaw was corrected in...
Buffer overflow in SmallVec::insert_many
A bug in the SmallVec::insertmany method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap. This bug was only triggered if the iterator passed to insertmany yielded more items than the...
columnar: `Read` on uninitialized buffer may cause UB (ColumnarReadExt::read_typed_vec())
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation ColumnarReadExt::readtypedvec. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading...
Reading on uninitialized buffer may cause UB ( `gfx_auxil::read_spirv()` )
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory...
`Read` on uninitialized buffer may cause UB ( `read_entry()` )
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. There are two of such cases gooffsetlog::readentry & offsetlog::readentry. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect...
`Frame::copy_from_raw_parts` can lead to segfault without `unsafe`
fn Frame::copyfromrawparts is a safe API that can take a raw pointer and dereference it. It is possible to read arbitrary memory address with an arbitrarily fed pointer. This allows the safe API to access & read arbitrary address in memory. Feeding an invalid memory address pointer to the API may...
Reading on uninitialized memory may cause UB ( `util::read_spv()` )
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory...
Loading a bgzip block can write out of bounds if size overflows.
Affected versions of bam set the length of an internal buffer using self.compressed.setlenblocksize - HEADERSIZE - MINEXTRASIZE and then wrote into it. While blocksize was constrained to a proper maximum, when it was too small the subtraction could overflow negatively to a large number past the...
`Sectors::get` accesses unclaimed/uninitialized memory
Affected versions of this crate arbitrarily calls Vec::setlen to increase length of a vector without claiming more memory for the vector. Affected versions of this crate also calls user-provided Read on the uninitialized memory of the vector that was extended with Vec::setlen. This can overwrite...
`Read` on uninitialized memory may cause UB (fn preamble_skipcount())
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation within fn preambleskipcount. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading fro...
panic in user-provided `Endian` impl triggers double drop of T
Affected versions of the crate does not guard against panic from user-provided impl of Endian trait, which is a safe trait that users can implement. If a user-provided implementation of the Endian trait panics, double-drop is triggered due to the duplicated ownership of T created by ptr::read...
EventList's From<EventList> conversions can double drop on panic.
Affected versions of this crate read from a container using ptr::read in From, and then call a user specified Into function. This issue can result in a double-free if the user provided function panics...
kamadak-exif DoS with untrusted PNG data
Attacker crafted data can cause a infinite loop leading to DoS if used with untrusted data...
interfaces2 is unmaintained, use interfaces instead
The interfaces2 crate is not maintained any more; use interfaces instead...
XSS in mdBook's search page
This is a cross-post of the official security advisoryml. The official post contains a signed version with our PGP key, as well. ml: https://groups.google.com/g/rustlang-security-announcements/c/3-sO6of29O0 The Rust Security Response Working Group was recently notified of a security issue affecti...
`Read` on uninitialized buffer can cause UB (impl of `ReadKVExt`)
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory...
'Read' on uninitialized memory may cause UB
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. The crate currently contains 4 occurrences of such cases. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes...
Reading uninitialized memory can cause UB (`Deserializer::read_vec`)
Deserializer::readvec created an uninitialized buffer and passes it to a user-provided Read implementation Deserializer.reader.readexact. Passing an uninitialized buffer to an arbitrary Read implementation is currently defined as undefined behavior in Rust. Official documentation for the Read tra...
reading on uninitialized buffer can cause UB (`impl<R> BufRead for GreedyAccessReader<R>`)
Affected versions of this crate creates an uninitialized buffer and passes it to user-provided Read implementation. This is unsound, because it allows safe Rust code to exhibit an undefined behavior read from uninitialized memory. The flaw was corrected in version 0.1.1 by zero-initializing a new...
Exposes internally used raw pointer
Affected versions of this crate dereference a raw pointer that can be modified without using unsafe code...
`read` on uninitialized buffer may cause UB (bite::read::BiteReadExpandedExt::read_framed_max)
Affected versions of this crate calls a user provided Read implementation on an uninitialized buffer. Read on uninitialized buffer is defined as undefined behavior in Rust...
`FixedCapacityDequeLike::clone()` can cause dropping uninitialized memory
Affected versions of this crate don't guard against panics, so that partially uninitialized buffer is dropped when user-provided T::clone panics in FixedCapacityDequeLike::clone. This causes memory corruption...
`impl Random` on arrays can lead to dropping uninitialized memory
Affected versions of this crate had a panic safety issue to drop partially uninitialized array of T upon panic in a user provided function T::random. Dropping uninitialized T can potentially cause memory corruption or undefined behavior. The flaw was corrected in commit 565d508 by using MaybeUnin...