GHSA-v363-rrf2-5fmj

Source

https://github.com/advisories/GHSA-v363-rrf2-5fmj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-v363-rrf2-5fmj/GHSA-v363-rrf2-5fmj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v363-rrf2-5fmj

Aliases

RUSTSEC-2024-0001

Published

2024-01-17T20:31:11Z

Modified

2024-02-10T16:26:48.909247Z

Summary

ferris-says has undefined behavior when not using UTF-8

Details

Affected versions receive a &[u8] from the caller through a safe API, and pass it directly to the unsafe str::from_utf8_unchecked function.

The behavior of ferris_says::say is undefined if the bytes from the caller don't happen to be valid UTF-8.

The flaw was corrected in [ferris-says#21] by using the safe str::from_utf8 instead, and returning an error on invalid input. However this fix has not yet been published to crates.io as a patch version for 0.2.

Separately, [ferris-says#32] has introduced a different API for version 0.3 which accepts input as &str rather than &[u8], so is unaffected by this bug.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-17T20:31:11Z"
}

References

Affected packages

crates.io / ferris-says

Package

Name: ferris-says; View open source insights on deps.dev
Purl: pkg:cargo/ferris-says

Affected ranges

Type: SEMVER
Events: Introduced

0.1.2

Last affected

0.2.1

crates.io / ferris-says

Package

Name: ferris-says; View open source insights on deps.dev
Purl: pkg:cargo/ferris-says

Affected ranges

Type: SEMVER
Events: Introduced

0.3.0

Fixed

0.3.1