Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yeGh4LTlmajYtNmgybc4AArrF
enum_map macro can cause UB when `Enum` trait is incorrectly implemented
Affected versions of this crate did not properly check the length of an enum when using enum_map! macro, trusting user-provided length.
When the LENGTH in the Enum trait does not match the array length in the EnumArray trait, this can result in the initialization of the enum map with uninitialized types, which in turn can allow an attacker to execute arbitrary code.
This problem can only occur with a manual implementation of the Enum trait, it will never occur for enums that use #[derive(Enum)].
Example code that triggers this vulnerability looks like this:
enum E {
A,
B,
C,
}
impl Enum for E {
const LENGTH: usize = 2;
fn from_usize(value: usize) -> E {
match value {
0 => E::A,
1 => E::B,
2 => E::C,
_ => unimplemented!(),
}
}
fn into_usize(self) -> usize {
self as usize
}
}
impl<V> EnumArray<V> for E {
type Array = [V; 3];
}
let _map: EnumMap<E, String> = enum_map! { _ => "Hello, world!".into() };
The flaw was corrected in commit b824e23 by putting LENGTH property on sealed trait for macro to read.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yeGh4LTlmajYtNmgybc4AArrF
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-rxhx-9fj6-6h2m
References:
- https://github.com/rustsec/advisory-db/blob/main/crates/enum-map/RUSTSEC-2022-0010.md
- https://rustsec.org/advisories/RUSTSEC-2022-0010.html
- https://github.com/xfix/enum-map/commit/b824e232f2fb47837740070096ac253df8e80dfc
- https://github.com/xfix/enum-map/blob/master/CHANGELOG.md#version-202
- https://gitlab.com/KonradBorowski/enum-map/-/blob/master/CHANGELOG.md#version-202
- https://github.com/advisories/GHSA-rxhx-9fj6-6h2m
Blast Radius: 0.0
Affected Packages
cargo:enum-map
Dependent packages: 99Dependent repositories: 1,240
Downloads: 9,913,819 total
Affected Version Ranges: >= 2.0.0-2, < 2.0.2
Fixed in: 2.0.2
All affected versions: 2.0.0, 2.0.0-2, 2.0.1
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.2.17, 0.2.18, 0.2.19, 0.2.20, 0.2.21, 0.2.22, 0.2.23, 0.2.24, 0.2.25, 0.2.26, 0.2.27, 0.2.28, 0.2.29, 0.2.30, 0.2.31, 0.2.32, 0.2.33, 0.2.34, 0.2.35, 0.2.36, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 1.0.0, 1.1.0, 1.1.1, 2.0.2, 2.0.3, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3