RUSTSEC-2024-0360

See a problem?

Source

https://rustsec.org/advisories/RUSTSEC-2024-0360

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0360.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2024-0360

Published

2024-07-26T12:00:00Z

Modified

2024-07-26T18:09:25Z

Summary

`XmpFile::close` can trigger UB

Details

Affected versions of the crate failed to catch C++ exceptions raised within the XmpFile::close function. If such an exception occured, it would trigger undefined behavior, typically a process abort.

This is best demonstrated in issue #230, where a race condition causes the close call to fail due to file I/O errors.

This was fixed in PR #232 (released as crate version 1.9.0), which now safely handles the exception.

For backward compatibility, the existing API ignores the error. A new API XmpFile::try_close was added to allow callers to receive and process the error result.

Users of all prior versions of xmp_toolkit are encouraged to update to version 1.9.0 to avoid undefined behavior.

References

Affected packages

crates.io / xmp_toolkit

Package

Name: xmp_toolkit; View open source insights on deps.dev
Purl: pkg:cargo/xmp_toolkit

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

1.9.0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [
            "xmp_toolkit::XmpFile::close"
        ],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": "unsound",
    "categories": []
}