Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14Zmh3LTZtYzQtbWd4Zs4AA6qR
crayon: ObjectPool creates uninitialized memory when freeing objects
As of version 0.6.0, the ObjectPool explicitly creates an uninitialized instance of its type parameter when it attempts to free an object, and swaps it into the storage. This causes instant undefined behavior due to reading the uninitialized memory in order to write it to the pool storage.
Extremely basic usage of the crate can trigger this issue, e.g. this code from a doctest:
use crayon::prelude::*;
application::oneshot().unwrap();
let mut params = MeshParams::default();
let mesh = video::create_mesh(params, None).unwrap();
// Deletes the mesh object.
video::delete_mesh(mesh); // <-- UB
The Clippy warning for this code was silenced in commit c2fde19caf6149d91faa504263f0bc5cafc35de5.
Discovered via https://asan.saethlin.dev/ub?crate=crayon&version=0.7.1
Permalink: https://github.com/advisories/GHSA-xfhw-6mc4-mgxfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14Zmh3LTZtYzQtbWd4Zs4AA6qR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 28 days ago
Updated: 28 days ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-xfhw-6mc4-mgxf
References:
- https://github.com/shawnscode/crayon/issues/109
- https://github.com/shawnscode/crayon/commit/c2fde19caf6149d91faa504263f0bc5cafc35de5
- https://rustsec.org/advisories/RUSTSEC-2024-0018.html
- https://github.com/advisories/GHSA-xfhw-6mc4-mgxf
Blast Radius: 0.0
Affected Packages
cargo:crayon
Dependent packages: 1Dependent repositories: 1
Downloads: 11,188 total
Affected Version Ranges: >= 0.6.0, <= 0.7.1
No known fixed version
All affected versions: 0.6.0, 0.7.0, 0.7.1