GHSA-ghpq-vjxw-ch5w

Suggest an improvement
Source
https://github.com/advisories/GHSA-ghpq-vjxw-ch5w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-ghpq-vjxw-ch5w/GHSA-ghpq-vjxw-ch5w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-ghpq-vjxw-ch5w
Aliases
Published
2021-08-25T20:56:52Z
Modified
2023-11-08T04:00:15.029606Z
Summary
Use after free in libpulse-binding
Details

Overview

Version 1.2.1 of the libpulse-binding Rust crate, released on the 15th of June 2018, fixed a pair of use-after-free issues with the objects returned by the get_format_info and get_context methods of Stream objects. These objects were mistakenly being constructed without setting an important flag to prevent destruction of the underlying C objects they reference upon their own destruction.

This advisory is being written retrospectively, having previously only been noted in the changelog. No CVE assignment was sought.

Patches

Users are required to update to version 1.2.1 or newer.

Versions older than 1.2.1 have been yanked from crates.io. This was believed to have already been done at the time of the 1.2.1 release, but upon double checking now they were found to still be available, so has been done now (22nd October 2020).

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-416"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-18T20:41:10Z"
}
References

Affected packages

crates.io / libpulse-binding

Package

Name
libpulse-binding
View open source insights on deps.dev
Purl
pkg:cargo/libpulse-binding

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.1

Ecosystem specific

{
    "affected_functions": [
        "libpulse_binding::stream::Stream::get_context",
        "libpulse_binding::stream::Stream::get_format_info"
    ]
}