Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM5MzMtd3ZqZi1wY3Zj

Out of bounds access in lucet-runtime-internals

An embedding using affected versions of lucet-runtime configured to use non-default Wasm globals sizes of more than 4KiB, or compiled in debug mode without optimizations, could leak data from the signal handler stack to guest programs. This can potentially cause data from the embedding host to leak to guest programs or cause corruption of guest program memory. This flaw was resolved by correcting the sigstack allocation logic.

Permalink: https://github.com/advisories/GHSA-3933-wvjf-pcvc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM5MzMtd3ZqZi1wY3Zj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: about 1 year ago


CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Percentage: 0.00209
EPSS Percentile: 0.5952

Identifiers: GHSA-3933-wvjf-pcvc, CVE-2020-35859
References: Repository: https://github.com/bytecodealliance/lucet
Blast Radius: 6.4

Affected Packages

cargo:lucet-runtime-internals
Dependent packages: 5
Dependent repositories: 5
Downloads: 21,849 total
Affected Version Ranges: >= 0.5.0, < 0.5.1, < 0.4.3
Fixed in: 0.5.1, 0.4.3
All affected versions: 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.1, 0.5.0
All unaffected versions: 0.4.3, 0.5.1, 0.6.0, 0.6.1