Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0yMzI2LXBmcGotdngzaM4AA_kC

lexical-core has multiple soundness issues

RUSTSEC-2024-0377 contains multiple soundness issues:

  1. Bytes::read() allows creating instances of types with invalid bit patterns
  2. BytesIter::read() advances iterators out of bounds
  3. The BytesIter trait has safety invariants but is public and not marked unsafe
  4. write_float() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine
  5. radix() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine

Version 1.0 fixes these issues, removes the vast majority of unsafe code, and also fixes some correctness issues.

Permalink: https://github.com/advisories/GHSA-2326-pfpj-vx3h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yMzI2LXBmcGotdngzaM4AA_kC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 2 months ago
Updated: 2 months ago


Identifiers: GHSA-2326-pfpj-vx3h
References: Repository: https://github.com/Alexhuszagh/rust-lexical
Blast Radius: 0.0

Affected Packages

cargo:lexical-core
Dependent packages: 39
Dependent repositories: 7,088
Downloads: 51,276,396 total
Affected Version Ranges: < 1.0.0
Fixed in: 1.0.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.8, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.2, 0.8.3, 0.8.5
All unaffected versions: 1.0.0, 1.0.1, 1.0.2