GHSA-q948-x8rf-888m

Suggest an improvement
Source
https://github.com/advisories/GHSA-q948-x8rf-888m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-q948-x8rf-888m/GHSA-q948-x8rf-888m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q948-x8rf-888m
Aliases
Published
2021-08-25T20:47:55Z
Modified
2023-11-08T04:03:36.337199Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
os_str_bytes relies on undefined behavior of `char::from_u32_unchecked`
Details

The Windows implementation of this crate relied on the behavior of std::char::fromu32unchecked when its safety clause is violated. Even though this worked with Rust versions up to 1.42 (at least), that behavior could change with any new Rust version, possibly leading a security issue.

The flaw was corrected in version 2.0.0.

Database specific 
{
    "nvd_published_at": "2020-12-31T10:15:00Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-704"
    ],
    "github_reviewed_at": "2021-08-19T21:08:17Z",
    "github_reviewed": true
}
References

Affected packages

crates.io / os_str_bytes

Package

Name
os_str_bytes
View open source insights on deps.dev
Purl
pkg:cargo/os_str_bytes

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.0