Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1wNnItZmd3Mi1yeGZ4

Critical EPSS: 0.00504% (0.65284 Percentile) EPSS:
Permalink JSON

Arbitrary return types in xcb

Affected Packages Affected Versions Fixed Versions
cargo:xcb
PURL: pkg:cargo/xcb
< 1.0.0 1.0.0
76 Dependent packages
2,099 Dependent repositories
4,065,732 Downloads total

Affected Version Ranges

All affected versions

0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.10.1

All unaffected versions

1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.4.0, 1.5.0, 1.6.0

The function xcb::xproto::GetPropertyReply::value() returns a slice of type T where T is an unconstrained type parameter. The raw bytes received from the X11 server are interpreted as the requested type. The users of the xcb crate are advised to only call this function with the intended types. These are u8, u16, and u32.

This issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/95

References:

Identifiers

GHSA-mp6r-fgw2-rxfx

CVE-2021-26956

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00504

EPSS Percentile: 0.65284

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/rust-x-bindings/rust-xcb

Date and time

Published

over 4 years ago

Updated

20 days ago

API

JSON