Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1mNTZnLWNocXAtMjJtOc4AA5Ct

Use after free in libpulse-binding

Overview

Version 2.5.0 of the libpulse-binding Rust crate, released on the 22nd of December 2018, fixed a potential use-after-free issue with property list iteration due to a lack of a lifetime constraint tying the lifetime of a proplist::Iterator to the Proplist object for which it was created. This made it possible for users, without experiencing a compiler error/warning, to destroy the Proplist object before the iterator, thus destroying the underlying C object the iterator works upon, before the iterator may be finished with it.

This advisory is being written retrospectively, having previously only been noted in the changelog. No CVE assignment was sought.

This impacts all versions of the crate before 2.5.0 back to 1.0.5. Before version 1.0.5 the function that produces the iterator was broken to the point of being useless.

Patches

Users are required to update to version 2.5.0 or newer.

Versions older than 2.5.0 have been yanked from crates.io as of the 22nd of October 2020.

Permalink: https://github.com/advisories/GHSA-f56g-chqp-22m9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNTZnLWNocXAtMjJtOc4AA5Ct
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 11 days ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-f56g-chqp-22m9
References:

• https://github.com/jnqnfe/pulse-binding-rust/security/advisories/GHSA-f56g-chqp-22m9
• https://github.com/jnqnfe/pulse-binding-rust/commit/9e31c82d71749619387cb9d0c9698134d05b28c9
• https://rustsec.org/advisories/RUSTSEC-2018-0020.html
• https://github.com/advisories/GHSA-6gvc-4jvj-pwq4
• https://github.com/advisories/GHSA-f56g-chqp-22m9

Repository: https://github.com/jnqnfe/pulse-binding-rust
Blast Radius: 18.2

Affected Packages