Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12MzYzLXJyZjItNWZtas4AA4ig
ferris-says has undefined behavior when not using UTF-8
Affected versions receive a &[u8] from the caller through a safe API, and pass it directly to the unsafe str::from_utf8_unchecked function.
The behavior of ferris_says::say is undefined if the bytes from the caller don't happen to be valid UTF-8.
The flaw was corrected in ferris-says#21 by using the safe str::from_utf8 instead, and returning an error on invalid input. However this fix has not yet been published to crates.io as a patch version for 0.2.
Separately, ferris-says#32 has introduced a different API for version 0.3 which accepts input as &str rather than &[u8], so is unaffected by this bug.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12MzYzLXJyZjItNWZtas4AA4ig
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 10 months ago
Updated: 10 months ago
Identifiers: GHSA-v363-rrf2-5fmj
References:
- https://github.com/rust-lang/ferris-says/pull/21
- https://github.com/rust-lang/ferris-says/commit/bb661f29e0d88968c495a4ea4dc63ff0e2c2c11a
- https://rustsec.org/advisories/RUSTSEC-2024-0001.html
- https://github.com/advisories/GHSA-v363-rrf2-5fmj
Blast Radius: 0.0
Affected Packages
cargo:ferris-says
Dependent packages: 35Dependent repositories: 144
Downloads: 445,688 total
Affected Version Ranges: >= 0.3.0, < 0.3.1, >= 0.1.2, <= 0.2.1
Fixed in: 0.3.1,
All affected versions: 0.1.2, 0.2.0, 0.2.1
All unaffected versions: 0.1.0, 0.1.1, 0.3.1, 0.3.2