GHSA-h3mf-4fwp-59c7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h3mf-4fwp-59c7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-h3mf-4fwp-59c7/GHSA-h3mf-4fwp-59c7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-h3mf-4fwp-59c7
- Withdrawn
- 2021-08-24T18:08:17Z
- Published
- 2021-08-05T19:58:06Z
- Modified
- 2021-08-24T18:08:17Z
- Summary
- VecStorage Deserialize Allows Violation of Length Invariant
- Details
-
The
Deserializeimplementation forVecStoragedid not maintain the invariant that the number of elements must equalnrows * ncols. Deserialization of specially crafted inputs could allow memory access beyond allocation of the vector.This flaw was introduced in v0.11.0 (
086e6e) due to the addition of an automatically derived implementation ofDeserializeforMatrixVec.MatrixVecwas later renamed toVecStoragein v0.16.13 (0f66403) and continued to use the automatically derived implementation ofDeserialize.This flaw was corrected in commit
5bff536by returning an error during deserialization if the number of elements does not exactly match the expected size. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2021-08-05T19:57:42Z", "nvd_published_at": null, "severity": "MODERATE", "cwe_ids": [] }- References
-
- https://github.com/dimforge/nalgebra/issues/883
- https://github.com/dimforge/nalgebra/pull/889
- https://github.com/dimforge/nalgebra/commit/a803271fcce75b7c151e92aa099dfa546db4adc5
- https://github.com/dimforge/nalgebra
- https://github.com/dimforge/nalgebra/blob/dev/CHANGELOG.md#0270
- https://rustsec.org/advisories/RUSTSEC-2021-0070.html
Affected packages
crates.io / nalgebra
Package
- Name
- nalgebra
- View open source insights on deps.dev
- Purl
- pkg:cargo/nalgebra