GHSA-2326-pfpj-vx3h

Suggest an improvement
Source
https://github.com/advisories/GHSA-2326-pfpj-vx3h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-2326-pfpj-vx3h/GHSA-2326-pfpj-vx3h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2326-pfpj-vx3h
Related
Published
2024-09-16T17:19:01Z
Modified
2024-09-16T17:19:01Z
Summary
lexical-core has multiple soundness issues
Details

RUSTSEC-2024-0377 contains multiple soundness issues:

  1. Bytes::read() allows creating instances of types with invalid bit patterns
  2. BytesIter::read() advances iterators out of bounds
  3. The BytesIter trait has safety invariants but is public and not marked unsafe
  4. write_float() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine
  5. radix() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine

Version 1.0 fixes these issues, removes the vast majority of unsafe code, and also fixes some correctness issues.

References

Affected packages

crates.io / lexical-core

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.0