GHSA-qvc4-78gw-pv8p – enumflags2

Package

Manager: cargo
Name: enumflags2
Vulnerable Version: >=0.7.0 <0.7.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Adverserial use of `make_bitflags!` macro can cause undefined behavior The macro relied on an expression of the form `Enum::Variant` always being a variant of the enum. However, it may also be an associated integer constant, in which case there's no guarantee that the value of said constant consists only of bits valid for this bitflag type. Thus, code like this could create an invalid `BitFlags<Test>`, which would cause iterating over it to trigger undefined behavior. As the debug formatter internally iterates over the value, it is also affected. ```rust use enumflags2::{bitflags, make_bitflags}; #[bitflags] #[repr(u8)] #[derive(Copy, Clone, Debug)] enum Test { A = 1, B = 2, } impl Test { const C: u8 = 69; } fn main() { let x = make_bitflags!(Test::{C}); // printing or iterating over x is UB } ```

Metadata

Created: 2023-04-24T16:47:24Z
Modified: 2023-04-24T16:47:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qvc4-78gw-pv8p/GHSA-qvc4-78gw-pv8p.json
CWE IDs: []
Alternative ID: N/A
Finding: F113
Auto approve: 1