Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01ajh3LXI3ZzgtNTQ3Ms4AArq3
Arrow2 allows double free in `safe` code
The struct Ffi_ArrowArray implements #derive(Clone) that is inconsistent with
its custom implementation of Drop, resulting in a double free when cloned.
Cloning this struct in safe results in a segmentation fault, which is unsound.
This derive was removed from this struct. All users are advised to either:
- bump the patch version of this crate (for versions
v0.7,v0.8,v0.9), or - migrate to a more recent version of the crate (when using
<0.7).
Doing so elimitates this vulnerability (code no longer compiles).
Permalink: https://github.com/advisories/GHSA-5j8w-r7g8-5472JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01ajh3LXI3ZzgtNTQ3Ms4AArq3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago
Identifiers: GHSA-5j8w-r7g8-5472
References:
- https://github.com/jorgecarleitao/arrow2/issues/880
- https://rustsec.org/advisories/RUSTSEC-2022-0012.html
- https://github.com/advisories/GHSA-5j8w-r7g8-5472
Blast Radius: 0.0
Affected Packages
cargo:arrow2
Dependent packages: 68Dependent repositories: 495
Downloads: 1,789,891 total
Affected Version Ranges: >= 0.9.0, < 0.9.2, >= 0.8.0, < 0.8.2, < 0.7.1
Fixed in: 0.9.2, 0.8.2, 0.7.1
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.8.0, 0.8.1, 0.9.0, 0.9.1
All unaffected versions: 0.7.1, 0.8.2, 0.9.2, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.16.0, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.18.0