GHSA-3qm2-rfqw-fmrw

Source

https://github.com/advisories/GHSA-3qm2-rfqw-fmrw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3qm2-rfqw-fmrw/GHSA-3qm2-rfqw-fmrw.json

Aliases

CVE-2021-28031
RUSTSEC-2021-0030

Published

2022-05-24T17:43:48Z

Modified

2023-11-08T04:05:27.727053Z

Details

Affected versions of scratchpad used ptr::read to read elements while calling a user provided function f on them. Since the pointer read duplicates ownership, a panic inside the user provided f function could cause a double free when unwinding.

The flaw was fixed in commit 891561bea by removing the unsafe block and using a plain iterator.

References

https://nvd.nist.gov/vuln/detail/CVE-2021-28031
https://github.com/okready/scratchpad/issues/1
https://github.com/okready/scratchpad/commit/891561bea
https://github.com/okready/scratchpad
https://rustsec.org/advisories/RUSTSEC-2021-0030.html

Affected packages

crates.io / scratchpad

Package

Name: scratchpad

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.3.1

Ecosystem specific

{
    "affected_functions": [
        "scratchpad::SliceMoveSource::move_elements"
    ]
}