1141 matches found
Bug in SliceDeque::move_head_unchecked corrupts its memory
Affected versions of this crate entered a corrupted state if mem::sizeof:: % allocationgranularity != 0 and a specific allocation pattern was used: sufficiently shifting the deque elements over the mirrored page boundary. This allows an attacker that controls controls both element insertion and...
Uncontrolled recursion leads to abort in HTML serialization
Affected versions of this crate did use recursion for serialization of HTML DOM trees. This allows an attacker to cause abort due to stack overflow by providing a pathologically nested input. The flaw was corrected by serializing the DOM tree iteratively instead...
Unaligned memory access
Affected versions of this crate violated alignment when casting byte slices to integer slices, resulting in undefined behavior. The flaw was corrected by Ralf Jung and Diggory Hardy...
typemap is Unmaintained
The maintainer seems unreachable. The crate may or may not be usable as-is despite no maintenance and may not work in future versions of Rust. The last release seems to have been seven years ago. Possible Alternatives The below list has not been vetted in any way and may or may not contain...
Fix for UB in failure to catch panics crossing FFI boundaries
Affected versions of this crate failed to catch panics crossing FFI boundaries via callbacks, which is a form of UB. This flaw was corrected by this commit1 which was included in version 2.6.0. 1: https://github.com/jnqnfe/pulse-binding-rust/commit/7fd282aef7787577c385aed88cb25d004b85f494...
Possible use-after-free with `proplist::Iterator`
Affected versions contained a possible use-after-free issue with property list iteration due to a lack of a lifetime constraint tying the lifetime of a proplist::Iterator to the Proplist object for which it was created. This made it possible for users, without experiencing a compiler error/warnin...
Flaw in streaming state reset() functions can create incorrect results.
Affected versions of this crate did not properly reset a streaming state. Resetting a streaming state, without finalising it first, creates incorrect results. The flaw was corrected by not first checking if the state had already been reset, when calling reset...
Enum repr causing potential memory corruption
The attribute repr added to enums to be compatible with C-FFI caused memory corruption on MSVC toolchain. arrayfire crates = version 3.5.0 do not have this issue when used with Rust versions 1.27 or earlier. The issue only started to appear since Rust version 1.28. The issue seems to be interlink...
MsQueue and SegQueue suffer from double-free
Even if an element is popped from a queue, crossbeam would run its destructor inside the epoch-based garbage collector. This is a source of double frees. The flaw was corrected by wrapping elements inside queues in a ManuallyDrop. Thanks to @c0gent for reporting the issue...
Bug in SliceDeque::move_head_unchecked allows read of corrupted memory
Affected versions of this crate did not properly update the head and tail of the deque when inserting and removing elements from the front if, before insertion or removal, the tail of the deque was in the mirrored memory region, and if, after insertion or removal, the head of the deque is exactly...
Vec-to-vec transmutations could lead to heap overflow/corruption
Affected versions of this crate switched the length and capacity arguments in the Vec::fromrawparts constructor, which could lead to memory corruption or data leakage. The flaw was corrected by using the constructor correctly...
term is looking for a new maintainer
The author of the term crate does not have time to maintain it and is looking for a new maintainer. Some maintained alternatives you can potentially switch to instead, depending on your needs: - crossterm - termcolor - yansi...
Stack overflow when parsing malicious DNS packet
There's a stack overflow leading to a crash when Trust-DNS's parses a malicious DNS packet. Affected versions of this crate did not properly handle parsing of DNS message compression RFC1035 section 4.1.4. The parser could be tricked into infinite loop when a compression offset pointed back to th...
smallvec creates uninitialized value of any type
Affected versions of this crate called mem::uninitialized to create values of a user-supplied type T. This is unsound e.g. if T is a reference type which must be non-null and thus may not remain uninitialized. The flaw was corrected by avoiding the use of mem::uninitialized, using MaybeUninit...
Uncontrolled recursion leads to abort in deserialization
Affected versions of this crate did not prevent deep recursion while deserializing data structures. This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it. The flaw was corrected by checking the recursion depth. Note: clap 2.33 is not...
Uncontrolled recursion leads to abort in deserialization
Affected versions of this crate did not properly check for recursion while deserializing aliases. This allows an attacker to make a YAML file with an alias referring to itself causing an abort. The flaw was corrected by checking the recursion depth...
Malicious input could cause uninitialized memory to be exposed
Affected versions of Claxon made an invalid assumption about the decode buffer size being a multiple of a value read from the bitstream. This could cause parts of the decode buffer to not be overwritten. If the decode buffer was newly allocated and uninitialized, this uninitialized memory could b...
Use of uninitialized memory in temporary
Uninit memory is used as a RNG seed in temporary The following function is used as a way to get entropy from the system, which does operations on and exposes uninit memory, which is UB. rust fn randomseed: &Path, : &str - u64; 2 use std::mem::uninitialized as rand; unsafe rand:: ^ 0x12345678,...
chan is end-of-life; use crossbeam-channel instead
chan has reached its end-of-life and is now deprecated. The intended successor of this crate is crossbeam-channel. Its API is strikingly similar, but comes with a much better select! macro, better performance, a better test suite and an all-around better implementation...
Possible double free during unwinding in SmallVec::insert_many
If an iterator passed to SmallVec::insertmany panicked in Iterator::next, destructors were run during unwinding while the vector was in an inconsistent state, possibly causing a double free a destructor running on two copies of the same value. This is fixed in smallvec 0.6.3 by ensuring that the...
quickersort is deprecated and unmaintained
The author of the quickersort crate has deprecated it and does not recommend using it anymore. Everything in it has been incorporated into std::sortunstable in the standard library as of Rust 1.20. std::sortunstable: https://doc.rust-lang.org/stable/std/primitive.slice.htmlmethod.sortunstable...
Links in archives can overwrite any existing file
When unpacking a tarball with the unpackin-family of functions it's intended that only files within the specified directory are able to be written. Tarballs with hard links or symlinks, however, can be used to overwrite any file on the filesystem. Tarballs can contain multiple entries for the sam...
An integer underflow could lead to panic
A mistake in error handling in untrusted before 0.6.2 could lead to an integer underflow and panic if a user of the crate didn't properly check for errors returned by untrusted. Combination of these two programming errors one in untrusted and another by user of this crate could lead to a panic an...
Use-after-free with objects returned by `Stream`'s `get_format_info` and `get_context` methods
Affected versions contained a pair of use-after-free issues with the objects returned by the getformatinfo and getcontext methods of Stream objects. These objects were mistakenly being constructed without setting an important flag to prevent destruction of the underlying C objects they reference...
Multiple memory safety issues
Affected versions contain multiple memory safety issues, such as: - Unsoundly coercing immutable references to mutable references - Unsoundly extending lifetimes of strings - Adding the Send marker trait to objects that cannot be safely sent between threads This may result in a variety of memory...
Use after free in CMS Signing
Affected versions of the OpenSSL crate used structures after they'd been freed...
`tempdir` crate has been deprecated; use `tempfile` instead
The tempdir crate has been deprecated and the functionality is merged into tempfile...
Unchecked vector pre-allocation
Affected versions of this crate pre-allocate memory on deserializing raw buffers without checking whether there is sufficient data available. This allows an attacker to do denial-of-service attacks by sending small msgpack messages that allocate gigabytes of memory...
`serial` crate is unmaintained
The serial crate is no longer maintained. Last release was on 2017-07-02. Possible alternatives Consider using an alternative, for instance the blocking librarys: - serial2 - serialport or async alternatives: - mio-serial - tokio-serial...
Large cookie Max-Age values can cause a denial of service
Affected versions of this crate use the time crate and the method Duration::seconds to parse the Max-Age duration cookie setting. This method will panic if the value is greater than 2^64/1000 and less than or equal to 2^64, which can result in denial of service for a client or server. This flaw w...
Integer overflow leads to heap-based buffer overflow in encode_config_buf
Affected versions of this crate suffered from an integer overflow bug when calculating the size of a buffer to use when encoding base64 using the encodeconfigbuf and encodeconfig functions. If the input string was large, this would cause a buffer to be allocated that was too small. Since this...
lz4-compress is unmaintained
According to the developers this crate is no longer maintained. The suggested alternative is lz4-compression, a maintained fork of lz4-compress. See also lz-fear which is compatible with the reference LZ4 implementation in C, but not with lz4-compress...
Hostname verification skipped when custom root certs used
If custom root certificates were registered with a ClientBuilder, the hostname of the target server would not be validated against its presented leaf certificate. This issue was fixed by properly configuring the trust evaluation logic to perform that check...
scalarmult() vulnerable to degenerate public keys
The scalarmult function included in previous versions of this crate accepted all-zero public keys, for which the resulting Diffie-Hellman shared secret will always be zero regardless of the private key used. This issue was fixed by checking for this class of keys and rejecting them if they are us...
headers containing newline characters can split messages
Serializing of headers to the socket did not filter the values for newline bytes \r or \n, which allowed for header values to split a request or response. People would not likely include newlines in the headers in their own applications, so the way for most people to exploit this is if an...
`cassandra` crate is unmaintained; use `cassandra-cpp` instead
The cassandra crate has not seen a release since December 2016, and its author is unresponsive. The cassandra-cpp crate is a maintained fork: https://github.com/Metaswitch/cassandra-rs...
SSL/TLS MitM vulnerability due to insecure defaults
All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults including off-by-default certificate verification and no API to perform hostname verification. Unless configured correctly by a developer, these defaults could allow an attacker to perform man-in-the-middle attacks...
libusb is unmaintained; use rusb instead
The libusb crate has not seen a release since September 2016, and its author is unresponsive. The rusb crate is a maintained fork: https://github.com/a1ien/rusb...
rust-crypto is unmaintained; switch to a modern alternative
The rust-crypto crate has not seen a release or GitHub commit since 2016, and its author is unresponsive. NOTE: The old rust-crypto crate with hyphen should not be confused with similarly named new RustCrypto GitHub Org without hyphen. The GitHub Org is actively maintained. We recommend you switc...
HTTP download and execution allows MitM RCE
The build script in the portaudio crate will attempt to download via HTTP the portaudio source and build it. A Mallory in the middle can intercept the download with their own archive and get RCE...
HTTPS MitM vulnerability due to lack of hostname verification
When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not perform hostname verification when making HTTPS requests. This allows an attacker to perform MitM attacks by preventing any valid CA-issued certificate, even if there's a hostname mismatch. The problem was addressed by...