Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13Zmc0LTMyMmctOXZxds4AAz-b
memoffset allows reading uninitialized memory
memoffset allows attempt of reading data from address 0 with arbitrary type. This behavior is an undefined behavior because address 0 to std::mem::size_of<T> may not have valid bit-pattern with T. Old implementation dereferences uninitialized memory obtained from std::mem::align_of. Older implementation prior to it allows using uninitialized data obtained from std::mem::uninitialized with arbitrary type then compute offset by taking the address of field-projection. This may also result in an undefined behavior for "father" that includes (directly or transitively) type that does not allow to be uninitialized.
This flaw was corrected by using std::ptr::addr_of in https://github.com/Gilnaa/memoffset/pull/50.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13Zmc0LTMyMmctOXZxds4AAz-b
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 11 months ago
Identifiers: GHSA-wfg4-322g-9vqv
References:
- https://github.com/Gilnaa/memoffset/issues/24
- https://github.com/Gilnaa/memoffset/pull/50
- https://rustsec.org/advisories/RUSTSEC-2023-0045.html
- https://github.com/advisories/GHSA-wfg4-322g-9vqv
Blast Radius: 0.0
Affected Packages
cargo:memoffset
Dependent packages: 183Dependent repositories: 43,080
Downloads: 183,519,841 total
Affected Version Ranges: < 0.6.2
Fixed in: 0.6.2
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.6.0, 0.6.1
All unaffected versions: 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.9.1