GHSA-9qxh-258v-666c

Source

https://github.com/advisories/GHSA-9qxh-258v-666c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-9qxh-258v-666c/GHSA-9qxh-258v-666c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9qxh-258v-666c

Aliases

RUSTSEC-2022-0040

Published

2022-08-10T17:26:00Z

Modified

2023-11-08T04:18:04.747199Z

Summary

owning_ref vulnerable to multiple soundness issues

Details

OwningRef::map_with_owner is unsound and may result in a use-after-free.
OwningRef::map is unsound and may result in a use-after-free.
OwningRefMut::as_owner and OwningRefMut::as_owner_mut are unsound and may result in a use-after-free.
The crate violates Rust's aliasing rules, which may cause miscompilations on recent compilers that emit the LLVM noalias attribute.

No patched versions are available at this time. While a pull request with some fixes is outstanding, the maintainer appears to be unresponsive.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "github_reviewed_at": "2022-08-10T17:26:00Z",
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

crates.io / owning_ref

Package

Name: owning_ref; View open source insights on deps.dev
Purl: pkg:cargo/owning_ref

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.4.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-9qxh-258v-666c/GHSA-9qxh-258v-666c.json"