RUSTSEC-2023-0055
- Source
- https://rustsec.org/advisories/RUSTSEC-2023-0055
- Import Source
- https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0055.json
- JSON Data
- https://api.osv.dev/v1/vulns/RUSTSEC-2023-0055
- Aliases
- Related
- Published
- 2023-09-03T12:00:00Z
- Modified
- 2024-09-16T14:15:37Z
- Summary
- Multiple soundness issues
- Details
-
lexicalcontains multiple soundness issues:- Bytes::read() allows creating instances of types with invalid bit patterns
- BytesIter::read() advances iterators out of bounds
- The
BytesItertrait has safety invariants but is public and not markedunsafe write_float()callsMaybeUninit::assume_init()on uninitialized data, which is is not allowed by the Rust abstract machineradix()callsMaybeUninit::assume_init()on uninitialized data, which is is not allowed by the Rust abstract machine
The crate also has some correctness issues.
Alternatives
For quickly parsing floating-point numbers third-party crates are no longer needed. A fast float parsing algorithm by the author of
lexicalhas been merged into libcore.For quickly parsing integers, consider
atoiandbtoicrates (100% safe code).atoi_radix10provides even faster parsing, but only with-C target-cpu=native, and at the cost of someunsafe.For formatting integers in a
#[no_std]context consider thenumtoacrate.For working with big numbers consider
num-bigintandnum-traits. - Database specific
{ "license": "CC0-1.0" }- References
-
- https://crates.io/crates/lexical
- https://rustsec.org/advisories/RUSTSEC-2023-0055.html
- https://github.com/Alexhuszagh/rust-lexical/issues/102
- https://github.com/Alexhuszagh/rust-lexical/issues/101
- https://github.com/Alexhuszagh/rust-lexical/issues/95
- https://github.com/Alexhuszagh/rust-lexical/issues/104
- https://github.com/Alexhuszagh/rust-lexical/issues/126
Affected packages
crates.io / lexical
Package
- Name
- lexical
- View open source insights on deps.dev
- Purl
- pkg:cargo/lexical