Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oZnhwLXA2OTUtNjI5eM4AArqu

abomonation transmutes &T to and from &[u8] without sufficient constraints

This transmute is at the core of the abomonation crates. It's so easy to use it to violate alignment requirements that no test in the crate's test suite passes under miri.

The use of this transmute in serialization/deserialization also incorrectly assumes that the layout of a repr(Rust) type is stable.
This transmute can also disclose both the contents of padding bytes which may be an information leak and the contents of pointers, which may be used to defeat ASLR.

Permalink: https://github.com/advisories/GHSA-hfxp-p695-629x
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oZnhwLXA2OTUtNjI5eM4AArqu
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 12 months ago


Identifiers: GHSA-hfxp-p695-629x
References: Repository: https://github.com/TimelyDataflow/abomonation
Blast Radius: 0.0

Affected Packages

cargo:abomonation
Dependent packages: 27
Dependent repositories: 342
Downloads: 849,608 total
Affected Version Ranges: <= 0.7.3
No known fixed version
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.5.0, 0.7.0, 0.7.1, 0.7.2, 0.7.3