RUSTSEC-2024-0347: Vulnerability in zerovec

Rust Crates.io Security Advisory


History
Edit
JSON (OSV)

RUSTSEC-2024-0347

Incorrect usage of #[repr(packed)]


Reported
Issued

Package

zerovec
(crates.io)

Type

Vulnerability

Categories
Patched
  • >=0.10.4
  • >=0.9.7, <0.10.0

Description

The affected versions make unsafe memory accesses under the assumption that #[repr(packed)] has a guaranteed field order.

The Rust specification does not guarantee this, and https://github.com/rust-lang/rust/pull/125360 (1.80.0-beta) starts
reordering fields of #[repr(packed)] structs, leading to illegal memory accesses.

The patched versions 0.9.7 and 0.10.4 use #[repr(C, packed)], which guarantees field order.

Advisory available under CC0-1.0
license.

READ MORE

Leave a Reply

Your email address will not be published. Required fields are marked *