RUSTSEC-2018-0020

See a problem?

Source

https://rustsec.org/advisories/RUSTSEC-2018-0020

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2018-0020.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2018-0020

Aliases

Published

2018-12-22T12:00:00Z

Modified

2024-02-10T16:26:42.964410Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Possible use-after-free with `proplist::Iterator`

Details

Affected versions contained a possible use-after-free issue with property list iteration due to a lack of a lifetime constraint tying the lifetime of a proplist::Iterator to the Proplist object for which it was created. This made it possible for users, without experiencing a compiler error/warning, to destroy the Proplist object before the iterator, thus destroying the underlying C object the iterator works upon, before the iterator may be finished with it.

This impacts all versions of the crate before 2.5.0 back to 1.0.5. Before version 1.0.5 the function that produces the iterator was broken to the point of being useless.

References

Affected packages

crates.io / libpulse-binding

Package

Name: libpulse-binding; View open source insights on deps.dev
Purl: pkg:cargo/libpulse-binding

Affected ranges

Type: SEMVER
Events: Introduced

1.0.5

Fixed

2.5.0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
    "informational": null,
    "categories": [
        "memory-corruption"
    ]
}