RUSTSEC-2018-0008

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2018-0008

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2018-0008.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2018-0008

Aliases

CVE-2018-20995
GHSA-hr3c-6mmp-6m39

Related

RUSTSEC-2019-0002

Published

2018-12-05T12:00:00Z

Modified

2023-11-08T04:00:13.614447Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Bug in SliceDeque::move_head_unchecked allows read of corrupted memory

Details

Affected versions of this crate did not properly update the head and tail of the deque when inserting and removing elements from the front if, before insertion or removal, the tail of the deque was in the mirrored memory region, and if, after insertion or removal, the head of the deque is exactly at the beginning of the mirrored memory region.

An attacker that controls both element insertion and removal into the deque could put it in a corrupted state. Once the deque enters such an state, its head and tail are corrupted, but in bounds of the allocated memory. This can result in partial reads and writes, reads of uninitialized memory, reads of memory containing previously dropped objects, etc. An attacker could exploit this to alter program execution.

The flaw was corrected by properly updating the head and tail of the deque in this case.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / slice-deque

Package

Name: slice-deque; View open source insights on deps.dev
Purl: pkg:cargo/slice-deque

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

0.1.16

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "informational": null,
    "categories": []
}