GHSA-5m39-wx2q-mxg3

Suggest an improvement
Source
https://github.com/advisories/GHSA-5m39-wx2q-mxg3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-5m39-wx2q-mxg3/GHSA-5m39-wx2q-mxg3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5m39-wx2q-mxg3
Aliases
Published
2022-11-08T21:42:06Z
Modified
2023-11-08T04:15:48.003089Z
Summary
Invalid use of `mem::uninitialized` causes `use-of-uninitialized-value`
Details

The compression and decompression function used mem:uninitialized to create an array of uninitialized values, to later write values into it. This later leads to reads from uninitialized memory.

The flaw was corrected in commit b633bf265e41c60dfce3be7eac4e4dd5e18d06cf by using a heap-allocated Vec and removing out use of mem::uninitialized. The fix was released in v0.3.2 and v1.0.0

Subsequently, the crate was deprecated and its use is discouraged.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T21:42:06Z"
}
References

Affected packages

crates.io / lzf

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.3.2

Ecosystem specific

{
    "affected_functions": [
        "lzf::compress",
        "lzf::decompress"
    ]
}