RUSTSEC-2023-0054

Source
https://rustsec.org/advisories/RUSTSEC-2023-0054
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0054.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2023-0054
Aliases
Published
2023-08-07T12:00:00Z
Modified
2023-11-08T04:22:42.487180Z
Summary
Use-after-free in `vec_insert_bytes`
Details

Incorrect reallocation logic in the function vec_insert_bytes causes a use-after-free.

This function does not have to be called directly to trigger the vulnerability because many methods on EncodingWriter call this function internally.

The mail-* suite is unmaintained and the upstream sources have been actively vandalised. A fixed mail-internals-ng (and mail-headers-ng and mail-core-ng) crate has been published which fixes this, and a dependency on another unsound crate.

Database specific
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / mail-internals

Package

Name
mail-internals
View open source insights on deps.dev
Purl
pkg:cargo/mail-internals

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [
            "mail_internals::utils::vec_insert_bytes"
        ],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": null,
    "categories": [
        "memory-corruption"
    ]
}