rustsec-2021-0044
Vulnerability from osv_rustsec
Affected versions of this crate transmuted a &str to a &'static str before
pushing it into a StackVec, this value was then popped later in the same
function.
This was assumed to be safe because the reference would be valid while the
method's stack was active. In between the push and the pop, however, a function
f was called that could invoke a user provided function.
If the user provided panicked, then the assumption used by the function was no
longer true and the transmute to &'static would create an illegal static
reference to the string. This could result in a freed string being used during
(such as in a Drop implementation) or after (e.g through catch_unwind) the
panic unwinding.
This flaw was corrected in commit e325e2f
by using a guard object to ensure that the &'static str was dropped inside
the function.
{
"affected": [
{
"database_specific": {
"categories": [
"memory-corruption"
],
"cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"informational": "unsound"
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "rocket",
"purl": "pkg:cargo/rocket"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "0.4.7"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"CVE-2021-29935",
"GHSA-vcw4-8ph6-7vw8"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "Affected versions of this crate transmuted a `\u0026str` to a `\u0026\u0027static str` before\npushing it into a `StackVec`, this value was then popped later in the same\nfunction.\n\nThis was assumed to be safe because the reference would be valid while the\nmethod\u0027s stack was active. In between the push and the pop, however, a function\n`f` was called that could invoke a user provided function.\n\nIf the user provided panicked, then the assumption used by the function was no\nlonger true and the transmute to `\u0026\u0027static` would create an illegal static\nreference to the string. This could result in a freed string being used during\n(such as in a `Drop` implementation) or after (e.g through `catch_unwind`) the\npanic unwinding.\n\nThis flaw was corrected in commit [e325e2f](https://github.com/SergioBenitez/Rocket/commit/e325e2fce4d9f9f392761e9fb58b418a48cef8bb)\nby using a guard object to ensure that the `\u0026\u0027static str` was dropped inside\nthe function.",
"id": "RUSTSEC-2021-0044",
"modified": "2023-06-13T13:10:24Z",
"published": "2021-02-09T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/rocket"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0044.html"
},
{
"type": "REPORT",
"url": "https://github.com/SergioBenitez/Rocket/issues/1534"
}
],
"related": [],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Use after free possible in `uri::Formatter` on panic"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.