Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oZnhwLXA2OTUtNjI5eM4AArqu
abomonation transmutes &T to and from &[u8] without sufficient constraints
This transmute is at the core of the abomonation crates. It's so easy to use it to violate alignment requirements that no test in the crate's test suite passes under miri.
The use of this transmute in serialization/deserialization also incorrectly assumes that the layout of a repr(Rust) type is stable.
This transmute can also disclose both the contents of padding bytes which may be an information leak and the contents of pointers, which may be used to defeat ASLR.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oZnhwLXA2OTUtNjI5eM4AArqu
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 11 months ago
Identifiers: GHSA-hfxp-p695-629x
References:
- https://github.com/TimelyDataflow/abomonation/issues/23
- https://rustsec.org/advisories/RUSTSEC-2021-0120.html
- https://github.com/advisories/GHSA-hfxp-p695-629x
Blast Radius: 0.0
Affected Packages
cargo:abomonation
Dependent packages: 21Dependent repositories: 342
Downloads: 824,584 total
Affected Version Ranges: <= 0.7.3
No known fixed version
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.5.0, 0.7.0, 0.7.1, 0.7.2, 0.7.3