RUSTSEC-2023-0054

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2023-0054

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0054.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2023-0054

Aliases

GHSA-rcx8-48pc-v9q8

Published

2023-08-07T12:00:00Z

Modified

2023-11-08T04:22:42.487180Z

Summary

Use-after-free in `vec_insert_bytes`

Details

Incorrect reallocation logic in the function vec_insert_bytes causes a use-after-free.

This function does not have to be called directly to trigger the vulnerability because many methods on EncodingWriter call this function internally.

The mail-* suite is unmaintained and the upstream sources have been actively vandalised. A fixed mail-internals-ng (and mail-headers-ng and mail-core-ng) crate has been published which fixes this, and a dependency on another unsound crate.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / mail-internals

Package

Name: mail-internals; View open source insights on deps.dev
Purl: pkg:cargo/mail-internals

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [
            "mail_internals::utils::vec_insert_bytes"
        ],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": null,
    "categories": [
        "memory-corruption"
    ]
}