Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yNDV4LWdocjItcWp4Y84AArtA
Duplicate Advisory: `#[zeroize(drop)]` doesn't implement `Drop` for `enum`s
Duplicate Advisory
This advisory is a duplicate of GHSA-c5hx-w945-j4pq. This link is preserved to maintain external references.
Original Description
Affected versions of this crate did not implement Drop when #[zeroize(drop)] was used on an enum.
This can result in memory not being zeroed out after dropping it, which is exactly what is intended when adding this attribute.
The flaw was corrected in version 1.2 and #[zeroize(drop)] on enums now properly implements Drop.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yNDV4LWdocjItcWp4Y84AArtA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago Widthdrawn: almost 2 years ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-r45x-ghr2-qjxc
References:
- https://github.com/iqlusioninc/crates/issues/876
- https://rustsec.org/advisories/RUSTSEC-2021-0115.html
- https://github.com/advisories/GHSA-r45x-ghr2-qjxc
Blast Radius: 29.4
Affected Packages
cargo:zeroize_derive
Dependent packages: 8Dependent repositories: 8,438
Downloads: 36,524,164 total
Affected Version Ranges: < 1.1.1
Fixed in: 1.1.1
All affected versions: 0.1.0, 0.7.0, 0.8.0, 0.9.0, 0.9.3, 0.10.0, 1.0.0, 1.0.1, 1.1.0
All unaffected versions: 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2