rustsec-2024-0359
Vulnerability from osv_rustsec
Published
2024-07-24 12:00
Modified
2025-01-19 00:36
Summary
The kstring integration in gix-attributes is unsound
Details
gix-attributes (in state::ValueRef) unsafely creates a &str from a &[u8] containing non-UTF8 data, with the justification that so long as nothing reads the &str and relies on it being UTF-8 in the &str, there is no UB:
// SAFETY: our API makes accessing that value as `str` impossible, so illformed UTF8 is never exposed as such.
The problem is that the non-UTF8 str is exposed to outside code: first to the kstring crate itself, which requires UTF-8 in its documentation and may have UB as a consequence of this, but also to serde, where it propagates to e.g. serde_json, serde_yaml, etc., where the same problems occur.
This is not sound, and it could cause further UB down the line in these places that can view the &str.
Thanks to Devin Jeanpierre for discovering and reporting this issue.
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": null,
"informational": "unsound"
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "gix-attributes",
"purl": "pkg:cargo/gix-attributes"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "0.22.3"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-cx7h-h87r-jpgr"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "`gix-attributes` (in [`state::ValueRef`](https://github.com/Byron/gitoxide/blob/gix-attributes-v0.22.2/gix-attributes/src/state.rs#L19-L27)) unsafely creates a `\u0026str` from a `\u0026[u8]` containing non-UTF8 data, with the justification that so long as nothing reads the `\u0026str` and relies on it being UTF-8 in the `\u0026str`, there is no UB:\n\n```rust\n// SAFETY: our API makes accessing that value as `str` impossible, so illformed UTF8 is never exposed as such.\n```\n\nThe problem is that the non-UTF8 `str` **is** exposed to outside code: first to the `kstring` crate itself, which requires UTF-8 in its documentation and may have UB as a consequence of this, but also to `serde`, where it propagates to e.g. `serde_json`, `serde_yaml`, etc., where the same problems occur.\n\nThis is not sound, and it could cause further UB down the line in these places that can view the `\u0026str`.\n\n*Thanks to [Devin Jeanpierre](https://github.com/ssbr) for discovering and reporting this issue.*",
"id": "RUSTSEC-2024-0359",
"modified": "2025-01-19T00:36:24Z",
"published": "2024-07-24T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/gix-attributes"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0359.html"
},
{
"type": "REPORT",
"url": "https://github.com/GitoxideLabs/gitoxide/issues/1460"
}
],
"related": [],
"severity": [],
"summary": "The kstring integration in gix-attributes is unsound"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…