GHSA-jf5h-cf95-w759

Source

https://github.com/advisories/GHSA-jf5h-cf95-w759

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-jf5h-cf95-w759/GHSA-jf5h-cf95-w759.json

Aliases

CVE-2021-45687
GHSA-w428-f65r-h4q2
RUSTSEC-2021-0089

Published

2022-06-17T00:16:24Z

Modified

2023-11-08T04:07:21.872047Z

Details

When activating the non-default feature serialize, most structs implement serde::Deserialize without sufficient validation. This allows breaking invariants in safe code, leading to:

Undefined behavior in as_string() methods (which use std::str::from_utf8_unchecked() internally).
Panics due to failed assertions.

See https://github.com/gz/rust-cpuid/issues/43.

References

https://github.com/gz/rust-cpuid/issues/43
https://github.com/gz/rust-cpuid
https://rustsec.org/advisories/RUSTSEC-2021-0089.html

Affected packages

crates.io / raw-cpuid

Package

Name: raw-cpuid

Affected ranges

Type: SEMVER
Events: Introduced

3.1.0

Fixed

9.1.1