GHSA-CX7H-H87R-JPGR

Vulnerability from github – Published: 2024-07-25 16:38 – Updated: 2025-01-21 18:18
VLAI?
Summary
The kstring integration in gix-attributes is unsound
Details

gix-attributes (in state::ValueRef) unsafely creates a &str from a &[u8] containing non-UTF8 data, with the justification that so long as nothing reads the &str and relies on it being UTF-8 in the &str, there is no UB:

// SAFETY: our API makes accessing that value as `str` impossible, so illformed UTF8 is never exposed as such.

The problem is that the non-UTF8 str is exposed to outside code: first to the kstring crate itself, which requires UTF-8 in its documentation and may have UB as a consequence of this, but also to serde, where it propagates to e.g. serde_json, serde_yaml, etc., where the same problems occur.

This is not sound, and it could cause further UB down the line in these places that can view the &str.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix-attributes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.22.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-172"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-25T16:38:42Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "`gix-attributes` (in [`state::ValueRef`](https://github.com/Byron/gitoxide/blob/gix-attributes-v0.22.2/gix-attributes/src/state.rs#L19-L27)) unsafely creates a `\u0026str` from a `\u0026[u8]` containing non-UTF8 data, with the justification that so long as nothing reads the `\u0026str` and relies on it being UTF-8 in the `\u0026str`, there is no UB:\n\n```rust\n// SAFETY: our API makes accessing that value as `str` impossible, so illformed UTF8 is never exposed as such.\n```\n\nThe problem is that the non-UTF8 `str` **is** exposed to outside code: first to the `kstring` crate itself, which requires UTF-8 in its documentation and may have UB as a consequence of this, but also to `serde`, where it propagates to e.g. `serde_json`, `serde_yaml`, etc., where the same problems occur.\n\nThis is not sound, and it could cause further UB down the line in these places that can view the `\u0026str`.\n",
  "id": "GHSA-cx7h-h87r-jpgr",
  "modified": "2025-01-21T18:18:40Z",
  "published": "2024-07-25T16:38:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Byron/gitoxide/issues/1460"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GitoxideLabs/gitoxide/issues/1460"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rustsec/advisory-db/commit/884aaa1646132bc3a27ba058197d6ef039bec294"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Byron/gitoxide"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0359.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "The kstring integration in gix-attributes is unsound"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.