Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

RUSTSEC-2020-0048: Use-after-free in BodyStream due to lack of pinning #1597

Closed
github-actions bot opened this issue Sep 27, 2020 · 1 comment · Fixed by #1599
Closed

RUSTSEC-2020-0048: Use-after-free in BodyStream due to lack of pinning #1597

github-actions bot opened this issue Sep 27, 2020 · 1 comment · Fixed by #1599
Assignees
@tmpolaczyk

Comments

@github-actions
Copy link

Use-after-free in BodyStream due to lack of pinning

Details
Package actix-http
Version 0.2.11
URL actix/actix-web#1321
Date 2020-01-24
Patched versions >= 2.0.0-alpha.1

Affected versions of this crate did not require the buffer wrapped in BodyStream to be pinned,
but treated it as if it had a fixed location in memory. This may result in a use-after-free.

The flaw was corrected by making the trait MessageBody require Unpin
and making poll_next() function accept Pin<&mut Self> instead of &mut self.

See advisory page for additional details.
@tmpolaczyk
Copy link
Contributor

Actually, we are not using actix-http, it's only compiled because it's an optional dependency of actix, enabled by default.

@tmpolaczyk tmpolaczyk mentioned this issue Sep 28, 2020
Merged
@tmpolaczyk tmpolaczyk self-assigned this Sep 28, 2020
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@tmpolaczyk tmpolaczyk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: remove unused actix-http dependency tmpolaczyk/witnet-rust
1 participant
@tmpolaczyk