Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02NmZ3LTQzaDgtZjhwM84AA-I3

XMP Toolkit's `XmpFile::close` can trigger undefined behavior

Affected versions of the crate failed to catch C++ exceptions raised within the XmpFile::close function. If such an exception occured, it would trigger undefined behavior, typically a process abort.

This is best demonstrated in issue #230, where a race condition causes the close call to fail due to file I/O errors.

This was fixed in PR #232 (released as crate version 1.9.0), which now safely handles the exception.

For backward compatibility, the existing API ignores the error. A new API XmpFile::try_close was added to allow callers to receive and process the error result.

Users of all prior versions of xmp_toolkit are encouraged to update to version 1.9.0 to avoid undefined behavior.

Permalink: https://github.com/advisories/GHSA-66fw-43h8-f8p3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NmZ3LTQzaDgtZjhwM84AA-I3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 2 months ago
Updated: about 2 months ago

Identifiers: GHSA-66fw-43h8-f8p3
References:

Repository: https://github.com/adobe/xmp-toolkit-rs
Blast Radius: 0.0

Affected Packages

cargo:xmp_toolkit

Dependent packages: 1
Dependent repositories: 4
Downloads: 86,276 total
Affected Version Ranges: < 1.9.0
Fixed in: 1.9.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.6, 0.3.7, 0.3.8, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1
All unaffected versions: 1.9.0, 1.9.1