Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03djRqLTh3dnItdjU1cs4AArqy
`array!` macro is unsound when its length is impure constant
Affected versions of this crate did substitute the array length provided by an user at compile-time multiple times.
When an impure constant expression is passed as an array length (such as a result of an impure procedural macro), this can result in the initialization of an array with uninitialized types, which in turn can allow an attacker to execute arbitrary code.
The flaw was corrected in commit d5b63f72 by making sure that array length is substituted just once.
Permalink: https://github.com/advisories/GHSA-7v4j-8wvr-v55rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03djRqLTh3dnItdjU1cs4AArqy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-7v4j-8wvr-v55r
References:
- https://github.com/rustsec/advisory-db/blob/main/crates/array-macro/RUSTSEC-2022-0017.md
- https://gitlab.com/KonradBorowski/array-macro/-/issues/5
- https://rustsec.org/advisories/RUSTSEC-2022-0017.html
- https://github.com/xfix/array-macro/commit/d5b63f72090f3809c21ac28f9cfd84f12559bf7d
- https://github.com/advisories/GHSA-7v4j-8wvr-v55r
Blast Radius: 0.0
Affected Packages
cargo:array-macro
Dependent packages: 24Dependent repositories: 232
Downloads: 3,040,824 total
Affected Version Ranges: >= 2.1.0, < 2.1.2
Fixed in: 2.1.2
All affected versions: 2.1.0, 2.1.1
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 2.0.0, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8