Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jOHYzLWpodjktNHBwY84AA4ow
Use-after-free when setting the locale
Version 3.0.0 introduced an AtomicStr type, that is used to store the current locale. It stores the locale as a raw pointer to an Arc<String>. The locale can be read with AtomicStr::as_str(). AtomicStr::as_str() does not increment the usage counter of the Arc.
If the locale is changed in one thread, another thread can have a stale -- possibly already freed -- reference to the stored string.
Permalink: https://github.com/advisories/GHSA-c8v3-jhv9-4ppcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jOHYzLWpodjktNHBwY84AA4ow
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 10 months ago
Identifiers: GHSA-c8v3-jhv9-4ppc
References:
- https://github.com/longbridgeapp/rust-i18n/issues/71
- https://github.com/longbridgeapp/rust-i18n/commit/22e0609591a2c08930f52a0e6bc860f02a0e88c0
- https://rustsec.org/advisories/RUSTSEC-2024-0007.html
- https://github.com/advisories/GHSA-c8v3-jhv9-4ppc
Blast Radius: 0.0
Affected Packages
cargo:rust-i18n-support
Dependent packages: 4Dependent repositories: 7
Downloads: 339,665 total
Affected Version Ranges: >= 3.0.0, < 3.0.1
Fixed in: 3.0.1
All affected versions: 3.0.0
All unaffected versions: 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.4.0, 1.0.0, 1.1.0, 2.0.0, 2.1.0, 2.3.0, 2.4.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2