Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1wNnItZmd3Mi1yeGZ4
Arbitrary return types in xcb
The function xcb::xproto::GetPropertyReply::value() returns a slice of type T where T is an unconstrained type parameter. The raw bytes received from the X11 server are interpreted as the requested type. The users of the xcb crate are advised to only call this function with the intended types. These are u8, u16, and u32.
This issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/95
Permalink: https://github.com/advisories/GHSA-mp6r-fgw2-rxfxJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1wNnItZmd3Mi1yeGZ4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: 11 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-mp6r-fgw2-rxfx, CVE-2021-26956
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-26956
- https://github.com/RustSec/advisory-db/issues/653
- https://rustsec.org/advisories/RUSTSEC-2021-0019.html
- https://github.com/rust-x-bindings/rust-xcb/issues/95
- https://github.com/advisories/GHSA-mp6r-fgw2-rxfx
Blast Radius: 32.6
Affected Packages
cargo:xcb
Dependent packages: 65Dependent repositories: 2,099
Downloads: 2,840,233 total
Affected Version Ranges: < 1.0.0
Fixed in: 1.0.0
All affected versions: 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.10.1
All unaffected versions: 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.4.0