GHSA-rcx8-48pc-v9q8

Source

https://github.com/advisories/GHSA-rcx8-48pc-v9q8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-rcx8-48pc-v9q8/GHSA-rcx8-48pc-v9q8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rcx8-48pc-v9q8

Aliases

RUSTSEC-2023-0054

Published

2023-08-24T22:20:47Z

Modified

2023-11-08T04:22:42.487180Z

Summary

mail-internals use-after-free vulnerability in `vec_insert_bytes`

Details

Incorrect reallocation logic in the function vec_insert_bytes causes a use-after-free.

This function does not have to be called directly to trigger the vulnerability because many methods on EncodingWriter call this function internally.

The mail-* suite is unmaintained and the upstream sources have been actively vandalised. A fixed mail-internals-ng (and mail-headers-ng and mail-core-ng) crate has been published which fixes this, and a dependency on another unsound crate.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-24T22:20:47Z"
}

References

Affected packages

crates.io / mail-internals

Package

Name: mail-internals; View open source insights on deps.dev
Purl: pkg:cargo/mail-internals

Affected ranges

Type: SEMVER
Events: Introduced

0.2.0

Last affected

0.2.3

Ecosystem specific

{
    "affected_functions": [
        "mail_internals::utils::vec_insert_bytes"
    ]
}