Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM5MzMtd3ZqZi1wY3Zj
Out of bounds access in lucet-runtime-internals
An embedding using affected versions of lucet-runtime configured to use non-default Wasm globals sizes of more than 4KiB, or compiled in debug mode without optimizations, could leak data from the signal handler stack to guest programs. This can potentially cause data from the embedding host to leak to guest programs or cause corruption of guest program memory. This flaw was resolved by correcting the sigstack allocation logic.
Permalink: https://github.com/advisories/GHSA-3933-wvjf-pcvcJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM5MzMtd3ZqZi1wY3Zj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: about 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Percentage: 0.00209
EPSS Percentile: 0.5952
Identifiers: GHSA-3933-wvjf-pcvc, CVE-2020-35859
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-35859
- https://github.com/bytecodealliance/lucet/pull/401
- https://rustsec.org/advisories/RUSTSEC-2020-0004.html
- https://github.com/advisories/GHSA-3933-wvjf-pcvc
Blast Radius: 6.4
Affected Packages
cargo:lucet-runtime-internals
Dependent packages: 5Dependent repositories: 5
Downloads: 21,849 total
Affected Version Ranges: >= 0.5.0, < 0.5.1, < 0.4.3
Fixed in: 0.5.1, 0.4.3
All affected versions: 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.1, 0.5.0
All unaffected versions: 0.4.3, 0.5.1, 0.6.0, 0.6.1