GHSA-4v52-7q2x-v4xj – eyre

Package

Manager: cargo
Name: eyre
Vulnerable Version: >=0.6.9 <0.6.12

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

eyre: Parts of Report are dropped as the wrong type during downcast In affected versions, after a `Report` is constructed using `wrap_err` or `wrap_err_with` to attach a message of type `D` onto an error of type `E`, then using `downcast` to recover ownership of either the value of type `D` or the value of type `E`, one of two things can go wrong: - If downcasting to `E`, there remains a value of type `D` to be dropped. It is incorrectly "dropped" by running `E`'s drop behavior, rather than `D`'s. For example if `D` is `&str` and `E` is `std::io::Error`, there would be a call of `std::io::Error::drop` in which the reference received by the `Drop` impl does not refer to a valid value of type `std::io::Error`, but instead to `&str`. - If downcasting to `D`, there remains a value of type `E` to be dropped. When `D` and `E` do not happen to be the same size, `E`'s drop behavior is incorrectly executed in the wrong location. The reference received by the `Drop` impl may point left or right of the real `E` value that is meant to be getting dropped. In both cases, when the `Report` contains an error `E` that has nontrivial drop behavior, the most likely outcome is memory corruption. When the `Report` contains an error `E` that has trivial drop behavior (for example a `Utf8Error`) but where `D` has nontrivial drop behavior (such as `String`), the most likely outcome is that downcasting to `E` would leak `D`.

Metadata

Created: 2024-04-05T15:08:53Z
Modified: 2024-04-05T15:08:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-4v52-7q2x-v4xj/GHSA-4v52-7q2x-v4xj.json
CWE IDs: ["CWE-843"]
Alternative ID: N/A
Finding: F113
Auto approve: 1