Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yMjRmLWhnNTgtdmZyd84AA399
unsafe-libyaml unaligned write of u64 on 32-bit and 16-bit platforms
Affected versions allocate memory using the alignment of usize and write data to it of type u64, without using core::ptr::write_unaligned. In platforms with sub-64bit alignment for usize (including wasm32 and x86) these writes are insufficiently aligned some of the time.
If using an ordinary optimized standard library, the bug exhibits Undefined Behavior so may or may not behave in any sensible way, depending on optimization settings and hardware and other things. If using a Rust standard library built with debug assertions enabled, the bug manifests deterministically in a crash (non-unwinding panic) saying "ptr::write requires that the pointer argument is aligned and non-null".
No 64-bit platform is impacted by the bug.
The flaw was corrected by allocating with adequately high alignment on all
platforms.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yMjRmLWhnNTgtdmZyd84AA399
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 11 months ago
Identifiers: GHSA-r24f-hg58-vfrw
References:
- https://github.com/dtolnay/unsafe-libyaml/issues/21
- https://github.com/dtolnay/unsafe-libyaml/commit/7755559145c9cf5573639bfecc557893d4a46b0d
- https://rustsec.org/advisories/RUSTSEC-2023-0075.html
- https://github.com/advisories/GHSA-r24f-hg58-vfrw
Blast Radius: 0.0
Affected Packages
cargo:unsafe-libyaml
Dependent packages: 8Dependent repositories: 3,837
Downloads: 41,977,277 total
Affected Version Ranges: < 0.2.10
Fixed in: 0.2.10
All affected versions: 0.0.0, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9
All unaffected versions: 0.2.10, 0.2.11