Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yMzI2LXBmcGotdngzaM4AA_kC
lexical-core has multiple soundness issues
RUSTSEC-2024-0377
contains multiple soundness issues:
- Bytes::read() allows creating instances of types with invalid bit patterns
- BytesIter::read() advances iterators out of bounds
- The
BytesIter
trait has safety invariants but is public and not markedunsafe
write_float()
callsMaybeUninit::assume_init()
on uninitialized data, which is is not allowed by the Rust abstract machineradix()
callsMaybeUninit::assume_init()
on uninitialized data, which is is not allowed by the Rust abstract machine
Version 1.0 fixes these issues, removes the vast majority of unsafe
code, and also fixes some correctness issues.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yMzI2LXBmcGotdngzaM4AA_kC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 2 months ago
Updated: 2 months ago
Identifiers: GHSA-2326-pfpj-vx3h
References:
- https://github.com/Alexhuszagh/rust-lexical/issues/101
- https://github.com/Alexhuszagh/rust-lexical/issues/102
- https://github.com/Alexhuszagh/rust-lexical/issues/104
- https://github.com/Alexhuszagh/rust-lexical/issues/126
- https://github.com/Alexhuszagh/rust-lexical/issues/95
- https://github.com/advisories/GHSA-c2hm-mjxv-89r4
- https://rustsec.org/advisories/RUSTSEC-2023-0055
- https://rustsec.org/advisories/RUSTSEC-2023-0086.html
- https://github.com/advisories/GHSA-2326-pfpj-vx3h
Blast Radius: 0.0
Affected Packages
cargo:lexical-core
Dependent packages: 39Dependent repositories: 7,088
Downloads: 51,276,396 total
Affected Version Ranges: < 1.0.0
Fixed in: 1.0.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.8, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.2, 0.8.3, 0.8.5
All unaffected versions: 1.0.0, 1.0.1, 1.0.2