1141 matches found
slice-deque is unmaintained
The author of the slice-deque crate is unresponsive and is not receiving security patches. Maintained alternatives: - slice-ring-buffer...
multi_mut is Unmaintained
Last release was about 6 years ago. There is an outstanding soundness issue. The maintainer has not responded for two years to the existing soundness issue. Rust compiler has enabled errors relating to LLVM noalias rules and may not compile anymore where as the old compiler versions had turned...
`tokio-proto` is deprecated/unmaintained
The tokio-proto crate has been deprecated, and its GitHub repository has been archived. Users may be interested in tokio-tower instead, per https://github.com/tokio-rs/tokio/issues/118issuecomment-452969665...
Use-after-free in Framed due to lack of pinning
Affected versions of this crate did not require the buffer wrapped in Framed to be pinned, but treated it as if it had a fixed location in memory. This may result in a use-after-free. The flaw was corrected by making the affected functions accept Pin instead of &mut self...
sigstack allocation bug can cause memory corruption or leak
An embedding using affected versions of lucet-runtime configured to use non-default Wasm globals sizes of more than 4KiB, or compiled in debug mode without optimizations, could leak data from the signal handler stack to guest programs. This can potentially cause data from the embedding host to le...
Improper `Sync` implementation on `FuturesUnordered` in futures-utils can cause data corruption
Affected versions of the crate had an unsound Sync implementation on the FuturesUnordered structure, which used a Cell for interior mutability without any code to handle synchronized access to the underlying task list's length and head safely. This could of lead to data corruption since two threa...
Use-after-free in BodyStream due to lack of pinning
Affected versions of this crate did not require the buffer wrapped in BodyStream to be pinned, but treated it as if it had a fixed location in memory. This may result in a use-after-free. The flaw was corrected by making the trait MessageBody require Unpin and making pollnext function accept Pin...
Contents of uninitialized memory exposed in DeflateOutput's AsyncRead implementation
Affected versions of this crate passes an uninitialized buffer to a user-provided trait function AsyncRead::pollread. Arbitrary AsyncRead::pollread implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading...
Observable Discrepancy in libsecp256k1-rs
A timing vulnerability in the Scalar::checkoverflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack...
Threshold value is ignored (all shares are n=3)
Affected versions of this crate did not properly calculate secret shares requirements. This reduces the security of the algorithm by restricting the crate to always using a threshold value of three, rather than a configurable limit. The flaw was corrected by correctly configuring the threshold...
rust_sodium is unmaintained; switch to a modern alternative
The rustsodium crate is no longer maintained by its current owner, who advise in the repository readme that they are looking for someone else to take ownership of it. We recommend you switch to an alternative crate such as: - sodiumoxide...
Parsing a specially crafted message can result in a stack overflow
Affected versions of this crate contained a bug in which decoding untrusted input could overflow the stack. On architectures with stack probes like x86, this can be used for denial of service attacks, while on architectures without stack probes like ARM overflowing the stack is unsound and can...
bespoke Cell implementation allows obtaining several mutable references to the same data
The custom implementation of a Cell primitive in the affected versions of this crate does not keep track of mutable references to the underlying data. This allows obtaining several mutable references to the same object which may result in arbitrary memory corruption, most likely use-after-free. T...
bespoke Cell implementation allows obtaining several mutable references to the same data
The custom implementation of a Cell primitive in the affected versions of this crate does not keep track of mutable references to the underlying data. This allows obtaining several mutable references to the same object which may result in arbitrary memory corruption, most likely use-after-free. T...
Stack overflow when resolving additional records from MX or SRV null targets
There's a stack overflow leading to a crash and potential DOS when processing additional records for return of MX or SRV record types from the server. This is only possible when a zone is configured with a null target for MX or SRV records, i.e. '.'. Example effected zone record: text no-service...
spin is no longer actively maintained
The author of the spin crate does not have time or interest to maintain it. Consider the following alternatives all of which support nostd: - conquer-once - lockapi a subproject of parkinglot - spinningtop spinlock crate built on lockapi - spinning...
crust repo has been archived; use libp2p instead
The crust crate repo was archived with no warning or explanation. Given that it was archived with no warning or successor, there's not an official replacement but rust-libp2p looks like it's got a similar feature set and is actively maintained...
Integer Overflow in HeaderMap::reserve() can cause Denial of Service
HeaderMap::reserve used usize::nextpoweroftwo to calculate the increased capacity. However, nextpoweroftwo silently overflows to 0 if given a sufficiently large number in release mode. If the map was not empty when the overflow happens, the library will invoke self.grow0 and start infinite probin...
HeaderMap::Drain API is unsound
Affected versions of this crate incorrectly used raw pointer, which introduced unsoundness in its public safe API. Failing to drop the Drain struct causes double-free, and it is possible to violate Rust's alias rule and cause data race with Drain's Iterator implementation. The flaw was corrected ...
Type confusion if __private_get_type_id__ is overridden
Safe Rust code can implement malfunctioning privategettypeid and cause type confusion when downcasting, which is an undefined behavior. Users who derive Fail trait are not affected...
ChaCha20 counter overflow can expose repetitions in the keystream
The ChaCha20 stream cipher can produce a maximum of 2^32 blocks 256GB before the 32-bit counter overflows. Releases of the chacha20 crate prior to v0.2.3 allow generating keystreams larger than this, including seeking past the limit. When this occurs, the keystream is duplicated, with failure mod...
Unsound `impl Follow for bool`
The implementation of impl Follow for bool allows to reinterpret arbitrary bytes as a bool. In Rust bool has stringent requirements for its in-memory representation. Use of this function allows to violate these requirements and invoke undefined behaviour in safe code...
Flaw in Scalar::check_overflow allows side-channel timing attack
Versions of libsecp256k1 prior to 0.3.1 did not execute Scalar::checkoverflow in constant time. This allows an attacker to potentially leak information via a timing attack. The flaw was corrected by modifying Scalar::checkoverflow to execute in constant time...
generichash::Digest::eq always return true
PartialEq implementation for generichash::Digest has compared itself to itself. Digest::eq always returns true and Digest::ne always returns false...
Test advisory with associated example crate
This is a test advisory useful for verifying RustSec tooling and vulnerability detection pipelines are working correctly. Aside from the fact that it is filed against an example crate, it is otherwise considered by the Advisory Database itself to be a normal security advisory. It's filed against...
Incorrect implementation of the Streebog hash functions
Internal update-sigma function was implemented incorrectly and depending on debug-assertions it could've caused an incorrect result or panic for certain inputs...
Flaw in CBOR deserializer allows stack overflow
Affected versions of this crate did not properly check if semantic tags were nested excessively during deserialization. This allows an attacker to craft small 1 kB CBOR documents that cause a stack overflow. The flaw was corrected by limiting the allowed number of nested tags...
Stream callback function is not unwind safe
Affected versions of this crate is not panic safe within callback functions streamcallback and streamfinishedcallback. The call to user-provided closure might panic before a mem::forget call, which then causes a use after free that grants attacker to control the callback function pointer. This...
`Matrix::zip_elements` causes double free
Affected versions of this crate did not properly implements the Matrix::zipelements method, which causes an double free when the given trait implementation might panic. This allows an attacker to corrupt or take control of the memory. The flaw was corrected by Phosphorus15...
fix unsound APIs that could lead to UB
Affected versions of this crate API could use uninitialized memory with some APIs in special cases, like use the API in none generator context. This could lead to UB. The flaw was corrected by This patch fixes all those issues above...
Internally mutating methods take immutable ref self
Affected versions of this crate exposed several methods which took self by immutable reference, despite the requesting the RenderDoc API to set a mutable value internally. This is technically unsound and calling these methods from multiple threads without synchronization could lead to unexpected...
Use-after-free in buffer conversion implementation
The From implementation for Vec was not properly implemented, returning a vector backed by freed memory. This could lead to memory corruption or be exploited to cause undefined behavior. A fix was published in version 0.1.3...
Panic during initialization of Lazy<T> might trigger undefined behavior
If during the first dereference of Lazy the initialization function panics, subsequent dereferences will execute std::hints::unreachableunchecked. Applications with panic = "abort" are not affected, as there will be no subsequent dereferences...
Wrong memory orderings in RwLock potentially violates mutual exclusion
Wrong memory orderings inside the RwLock implementation allow for two writers to acquire the lock at the same time. The drop implementation used Ordering::Relaxed, which allows the compiler or CPU to reorder a mutable access on the locked data after the lock has been yielded. Only users of the...
HMAC-BLAKE2 algorithms compute incorrect results
When used in conjunction with the Hash-based Message Authentication Code HMAC, the BLAKE2b and BLAKE2s implementations in blake2 crate versions prior to v0.8.1 used an incorrect block size 32-bytes instead of 64-bytes for BLAKE2s, and 64-bytes instead of 128-bytes for BLAKE2b, causing them to...
Cloned interners may read already dropped strings
Affected versions of this crate did not clone contained strings when an interner is cloned. Interners have raw pointers to the contained strings, and they keep pointing the strings which the old interner owns, after the interner is cloned. If a new cloned interner is alive and the old original...
Flaw in interface may drop uninitialized instance of arbitrary types
Affected versions of this crate would call Vec::setlen on an uninitialized vector with user-provided type parameter, in an interface of the HDR image format decoder. They would then also call other code that could panic before initializing all instances. This could run Drop implementations on...
Memory corruption in SmallVec::grow()
Attempting to call grow on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures. An attacker that controls the value passed to grow may exploit this flaw to obtain memory contents or gain remote code execution. Credits to @ehuss for...
Flaw in offset_of and span_of causes SIGILL, drops uninitialized memory of arbitrary type on panic in client code
Affected versions of this crate caused traps and/or memory unsafety by zero-initializing references. They also could lead to uninitialized memory being dropped if the field for which the offset is requested was behind a deref coercion, and that deref coercion caused a panic. The flaw was correcte...
MultiDecoder::read() drops uninitialized memory of arbitrary type on panic in client code
Affected versions of libflate have set a field of an internal structure with a generic type to an uninitialized value in MultiDecoder::read and reverted it to the original value after the function completed. However, execution of MultiDecoder::read could be interrupted by a panic in caller-suppli...
Flaw in string parsing can lead to crashes due to invalid memory access.
The affected version of this crate did not guard against accessing memory beyond the range of its input data. A pointer cast to read the data into a 256-bit register could lead to a segmentation fault when the end plus the 32 bytes 256 bit read would overlap into the next page during string...
`boxfnonce` obsolete with release of Rust 1.35.0
This commit marks the boxfnonce crate as obsolete and the GitHub repo has since been archived. The functionality of boxfnonce has been added to Rust since 1.35.0. Use Box...
Format string vulnerabilities in `pancurses`
pancurses::mvprintw and pancurses::printw passes a pointer from a rust &str to C, allowing hostile input to execute a format string attack, which trivially allows writing arbitrary data to stack memory...
Buffer overflow and format vulnerabilities in functions exposed without unsafe
ncurses exposes functions from the ncurses library which: - Pass buffers without length to C functions that may write an arbitrary amount of data, leading to a buffer overflow. instr, mvwinstr, etc - Passes rust &str to strings expecting C format arguments, allowing hostile input to execute a...
Processing of maliciously crafted length fields causes memory allocation SIGABRTs
Affected versions of this crate tried to preallocate a vector for an arbitrary amount of bytes announced by the ASN.1-DER length field without further checks. This allows an attacker to trigger a SIGABRT by creating length fields that announce more bytes than the allocator can provide. The flaw w...
Compiler optimisation for next_with_timeout in pnet::transport::IcmpTransportChannelIterator flaws to SEGFAULT
Affected versions of this crate were optimized out by compiler, which caused dereference of uninitialized file descriptor which caused segfault...
Out of Memory in stream::read_raw_bytes_into()
Affected versions of this crate called Vec::reserve on user-supplied input. This allows an attacker to cause an Out of Memory condition while calling the vulnerable method on untrusted data...
Double-free and use-after-free in SmallVec::grow()
Attempting to call grow on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents. An attacker that controls the value passed to grow...
Flaw in generativity allows out-of-bounds access
Affected versions of this crate did not properly implement the generativity, because the invariant lifetimes were not necessarily dropped. This allows an attacker to mix up two arenas, using indices created from one arena with another one. This might lead to an out-of-bounds read or write access...
Failure to properly verify ed25519 signatures makes any signature valid
Affected versions of this crate did not properly verify ed25519 signatures. Any signature with a correct length was considered valid. This allows an attacker to impersonate any node identity...