rustsec-2021-0050
Vulnerability from osv_rustsec
swap_index takes an iterator and swaps the items with their corresponding
indexes. It reserves capacity and sets the length of the vector based on the
.len() method of the iterator.
If the len() returned by the iterator is larger than the actual number of
elements yielded, then swap_index creates a vector containing uninitialized
members. If the len() returned by the iterator is smaller than the actual
number of members yielded, then swap_index can write out of bounds past
its allocated vector.
As noted by the Rust documentation, len()
and size_hint() are primarily meant for optimization and incorrect values
from their implementations should not lead to memory safety violations.
Patch
A new version crate was pushed that marks this function as unsafe.
reorder = "1.1.0"
Previous versions have also been yanked from crates.io.
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "reorder",
"purl": "pkg:cargo/reorder"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "1.1.0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"CVE-2021-29941",
"CVE-2021-29942",
"GHSA-3h87-v52r-p9rg",
"GHSA-jpwg-6gf5-5vh9"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "`swap_index` takes an iterator and swaps the items with their corresponding\nindexes. It reserves capacity and sets the length of the vector based on the\n`.len()` method of the iterator.\n\nIf the `len()` returned by the iterator is larger than the actual number of\nelements yielded, then `swap_index` creates a vector containing uninitialized\nmembers. If the `len()` returned by the iterator is smaller than the actual\nnumber of members yielded, then `swap_index` can write out of bounds past\nits allocated vector.\n\nAs noted by the Rust documentation, [`len()`](https://doc.rust-lang.org/std/iter/trait.ExactSizeIterator.html#method.len)\nand `size_hint()` are primarily meant for optimization and incorrect values\nfrom their implementations should not lead to memory safety violations.\n\n\n# Patch\n\nA new version crate was pushed that marks this function as unsafe.\n\nreorder = \"1.1.0\"\n\nPrevious versions have also been yanked from crates.io.",
"id": "RUSTSEC-2021-0050",
"modified": "2023-06-13T13:10:24Z",
"published": "2021-02-24T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/reorder"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0050.html"
},
{
"type": "REPORT",
"url": "https://github.com/tiby312/reorder/issues/1"
}
],
"related": [],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "swap_index can write out of bounds and return uninitialized memory"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.