RUSTSEC-2024-0001

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2024-0001

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0001.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2024-0001

Aliases

GHSA-v363-rrf2-5fmj

Published

2024-01-13T12:00:00Z

Modified

2024-02-10T16:26:48.909247Z

Summary

Unsound use of str::from_utf8_unchecked on bytes which are not UTF-8

Details

Affected versions receive a &[u8] from the caller through a safe API, and pass it directly to the unsafe str::from_utf8_unchecked function.

The behavior of ferris_says::say is undefined if the bytes from the caller don't happen to be valid UTF-8.

The flaw was corrected in [ferris-says#21] by using the safe str::from_utf8 instead, and returning an error on invalid input. However this fix has not yet been published to crates.io as a patch version for 0.2.

Separately, [ferris-says#32] has introduced a different API for version 0.3 which accepts input as &str rather than &[u8], so is unaffected by this bug.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / ferris-says

Package

Name: ferris-says; View open source insights on deps.dev
Purl: pkg:cargo/ferris-says

Affected ranges

Type: SEMVER
Events: Introduced

0.1.3-0

Fixed

0.3.1

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": "unsound",
    "categories": []
}