GHSA-xfhw-6mc4-mgxf – crayon

Package

Manager: cargo
Name: crayon
Vulnerable Version: >=0.6.0 <=0.7.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

crayon: ObjectPool creates uninitialized memory when freeing objects As of version 0.6.0, the ObjectPool explicitly creates an uninitialized instance of its type parameter when it attempts to free an object, and swaps it into the storage. This causes instant undefined behavior due to reading the uninitialized memory in order to write it to the pool storage. Extremely basic usage of the crate can trigger this issue, e.g. this code from a doctest: ```rust use crayon::prelude::*; application::oneshot().unwrap(); let mut params = MeshParams::default(); let mesh = video::create_mesh(params, None).unwrap(); // Deletes the mesh object. video::delete_mesh(mesh); // <-- UB ``` The Clippy warning for this code was silenced in commit c2fde19caf6149d91faa504263f0bc5cafc35de5. Discovered via https://asan.saethlin.dev/ub?crate=crayon&version=0.7.1

Metadata

Created: 2024-04-05T15:40:40Z
Modified: 2024-04-05T15:40:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-xfhw-6mc4-mgxf/GHSA-xfhw-6mc4-mgxf.json
CWE IDs: ["CWE-908"]
Alternative ID: N/A
Finding: F138
Auto approve: 1