Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01bTM5LXd4MnEtbXhnM84AAvv0

Invalid use of `mem::uninitialized` causes `use-of-uninitialized-value`

The compression and decompression function used mem:uninitialized to create an array of uninitialized values, to later write values into it. This later leads to reads from uninitialized memory.

The flaw was corrected in commit b633bf265e41c60dfce3be7eac4e4dd5e18d06cf by using a heap-allocated Vec and removing out use of mem::uninitialized. The fix was released in v0.3.2 and v1.0.0

Subsequently, the crate was deprecated and its use is discouraged.

Permalink: https://github.com/advisories/GHSA-5m39-wx2q-mxg3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01bTM5LXd4MnEtbXhnM84AAvv0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: about 1 year ago


Identifiers: GHSA-5m39-wx2q-mxg3
References: Repository: https://github.com/badboy/lzf-rs
Blast Radius: 0.0

Affected Packages

cargo:lzf
Dependent packages: 9
Dependent repositories: 2
Downloads: 66,004 total
Affected Version Ranges: < 0.3.2
Fixed in: 0.3.2
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1
All unaffected versions: 0.3.2, 1.0.0