Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

RUSTSEC-2023-0086: Multiple soundness issues #323

Closed
github-actions bot opened this issue Sep 22, 2024 · 1 comment
Closed

RUSTSEC-2023-0086: Multiple soundness issues #323

github-actions bot opened this issue Sep 22, 2024 · 1 comment

Comments

@github-actions
Copy link

Multiple soundness issues

Details
Status unsound
Package lexical-core
Version 0.7.6
URL
Date 2023-09-03

RUSTSEC-2024-0377 contains multiple soundness issues:

  1. Bytes::read() allows creating instances of types with invalid bit patterns
  2. BytesIter::read() advances iterators out of bounds
  3. The BytesIter trait has safety invariants but is public and not marked unsafe
  4. write_float() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine
  5. radix() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine

Version 1.0 fixes these issues, removes the vast majority of unsafe code, and also fixes some correctness issues.

See advisory page for additional details.
@taiki-e
Copy link
Collaborator

taiki-e commented Sep 22, 2024

Closing as this is only used in example.

    ├ lexical-core v0.7.6
      └── nom v5.1.3
          └── config v0.10.1
              └── deadpool v0.7.0
                  └── http-client v6.5.3
                      └── surf v2.3.2
                          └── (dev) smol v2.0.0

@taiki-e taiki-e closed this as completed Sep 22, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@taiki-e