Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yY3g4LTQ4cGMtdjlxOM4AA1fd
mail-internals use-after-free vulnerability in `vec_insert_bytes`
Incorrect reallocation logic in the function vec_insert_bytes causes a use-after-free.
This function does not have to be called directly to trigger the vulnerability because many methods on EncodingWriter call this function internally.
The mail-* suite is unmaintained and the upstream sources have been actively vandalised.
A fixed mail-internals-ng (and mail-headers-ng and mail-core-ng) crate has been published which fixes this, and a dependency on another unsound crate.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yY3g4LTQ4cGMtdjlxOM4AA1fd
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
Identifiers: GHSA-rcx8-48pc-v9q8
References:
- https://github.com/rustsec/advisory-db/blob/main/crates/mail-internals/RUSTSEC-2023-0054.md
- https://rustsec.org/advisories/RUSTSEC-2023-0054.html
- https://github.com/advisories/GHSA-rcx8-48pc-v9q8
Affected Packages
cargo:mail-internals
Dependent packages: 6Dependent repositories: 4
Downloads: 10,154 total
Affected Version Ranges: >= 0.2.0, <= 0.2.3
No known fixed version
All affected versions: 0.2.0, 0.2.1, 0.2.2, 0.2.3