When activating the non-default feature serialize, most structs implement
serde::Deserialize without sufficient validation. This allows breaking
invariants in safe code, leading to:
Undefined behavior in as_string() methods (which use
std::str::from_u…
This is impossible to do by accident, but by carefully constructing
marker types to be covariant, a malicious coder can cheat the
singleton check in TCellOwner and TLCellOwner, giving unsound
access to cell memory. This could take the form of getting …
rdiff performs a diff of two provided strings or files. As part of its reading
code it uses the return value of a Read instance to set the length of
its internal character vector.
If the Read implementation claims that it has read more bytes than the l…
On certain platforms, if a user has more than 16 groups, the
nix::unistd::getgrouplist function will call the libc getgrouplist
function with a length parameter greater than the size of the buffer it
provides, resulting in an out-of-bounds write and me…
Neon provides functionality for creating JavaScript ArrayBuffer (and the Buffer subtype) instances backed by bytes allocated outside of V8/Node. The JsArrayBuffer::external and JsBuffer::external did not require T: ‘static prior to Neon 0.10.1. This al…
TlsWyRand’s implementation of Deref unconditionally dereferences a raw pointer, and returns
multiple mutable references to the same object, which is undefined behavior.
References
https://github.com/Absolucy/nanorand-rs/issues/28
https://rustsec.org/…
In the affected versions of the crate, AtomicBucket<T> unconditionally implements Send/Sync traits. Therefore, users can create a data race to the inner
T: !Sync by using the AtomicBucket::data_with() API.
Such data races can potentially cause me…
The mopa crate redefines the deprecated TraitObject struct from core::raw like so:
#[repr(C)]
#[derive(Copy, Clone)]
#[doc(hidden)]
pub struct TraitObject {
pub data: *mut (),
pub vtable: *mut (),
}
This is done to then transmute a reference t…
Affected versions of this crate passed an uninitialized buffer to a
user-provided Read instance in:
deserialize_binary
deserialize_string
deserialize_extension_others
deserialize_string_primitive
This can result in safe Read implementations reading f…
Lru crate has use after free vulnerability.
Lru crate has two functions for getting an iterator. Both iterators give
references to key and value. Calling specific functions, like pop(), will remove
and free the value, and but it’s still possible to acc…
