rustsec-2022-0067
Vulnerability from osv_rustsec
Published
2022-10-22 12:00
Modified
2023-06-13 13:10
Summary
Invalid use of `mem::uninitialized` causes `use-of-uninitialized-value`
Details

The compression and decompression function used mem:uninitialized to create an array of uninitialized values, to later write values into it. This later leads to reads from uninitialized memory.

The flaw was corrected in commit b633bf265e41c60dfce3be7eac4e4dd5e18d06cf by using a heap-allocated Vec and removing out use of mem::uninitialized. The fix was released in v0.3.2 and v1.0.0

Subsequently the crate was deprecated and its use is discouraged.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": null,
        "informational": "unsound"
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [
            "lzf::compress",
            "lzf::decompress"
          ],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "lzf",
        "purl": "pkg:cargo/lzf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.3.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "GHSA-5m39-wx2q-mxg3"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "The compression and decompression function used `mem:uninitialized`\nto create an array of uninitialized values, to later write values into it.\nThis later leads to reads from uninitialized memory.\n\nThe flaw was corrected in commit b633bf265e41c60dfce3be7eac4e4dd5e18d06cf\nby using a heap-allocated `Vec` and removing out use of `mem::uninitialized`.\nThe fix was released in v0.3.2 and v1.0.0\n\nSubsequently the crate was deprecated and its use is discouraged.",
  "id": "RUSTSEC-2022-0067",
  "modified": "2023-06-13T13:10:24Z",
  "published": "2022-10-22T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/lzf"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0067.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/badboy/lzf-rs/issues/9"
    }
  ],
  "related": [],
  "severity": [],
  "summary": " Invalid use of `mem::uninitialized` causes `use-of-uninitialized-value`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.