Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS00M3cyLTlqNjItaHE5Oc4AAnWf

Critical EPSS: 0.00547% (0.66504 Percentile) EPSS:
Permalink JSON

Buffer overflow in SmallVec::insert_many

Affected Packages Affected Versions Fixed Versions
cargo:smallvec >= 1.0.0, < 1.6.1, >= 0.6.3, < 0.6.14 1.6.1, 0.6.14
1,616 Dependent packages
67,564 Dependent repositories
462,121,101 Downloads total

Affected Version Ranges

All affected versions

0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.6.10, 0.6.11, 0.6.12, 0.6.13, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.6.0

All unaffected versions

0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.2.1, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.14, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.1

A bug in the SmallVec::insert_many method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap. This bug was only triggered if the iterator passed to insert_many yielded more items than the lower bound returned from its size_hint method.

The flaw was corrected in smallvec 0.6.14 and 1.6.1, by ensuring that additional space is always reserved for each item inserted. The fix also simplified the implementation of insert_many to use less unsafe code, so it is easier to verify its correctness.

References:

Identifiers

GHSA-43w2-9j62-hq99

CVE-2021-25900

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00547

EPSS Percentile: 0.66504

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/servo/rust-smallvec

Date and time

Published

about 3 years ago

Updated

almost 2 years ago

API

JSON