RUSTSEC-2020-0004

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2020-0004

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0004.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2020-0004

Aliases

CVE-2020-35859
GHSA-3933-wvjf-pcvc

Published

2020-01-24T12:00:00Z

Modified

2023-11-08T04:03:35.973145Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator

Summary

sigstack allocation bug can cause memory corruption or leak

Details

An embedding using affected versions of lucet-runtime configured to use non-default Wasm globals sizes of more than 4KiB, or compiled in debug mode without optimizations, could leak data from the signal handler stack to guest programs. This can potentially cause data from the embedding host to leak to guest programs or cause corruption of guest program memory.

This flaw was resolved by correcting the sigstack allocation logic.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / lucet-runtime-internals

Package

Name: lucet-runtime-internals; View open source insights on deps.dev
Purl: pkg:cargo/lucet-runtime-internals

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

0.4.3

Introduced

0.5.0

Fixed

0.5.1

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
    "informational": null,
    "categories": [
        "memory-corruption",
        "memory-exposure"
    ]
}