GHSA-v363-rrf2-5fmj – ferris-says

Package

Manager: cargo
Name: ferris-says
Vulnerable Version: >=0.1.2 <=0.2.1 || >=0.3.0 <0.3.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

EPSS: N/A pctlN/A

Details

ferris-says has undefined behavior when not using UTF-8 Affected versions receive a `&[u8]` from the caller through a safe API, and pass it directly to the unsafe `str::from_utf8_unchecked` function. The behavior of `ferris_says::say` is undefined if the bytes from the caller don't happen to be valid UTF-8. The flaw was corrected in [ferris-says#21] by using the safe `str::from_utf8` instead, and returning an error on invalid input. However this fix has not yet been published to crates.io as a patch version for 0.2. Separately, [ferris-says#32] has introduced a different API for version 0.3 which accepts input as `&str` rather than `&[u8]`, so is unaffected by this bug. [ferris-says#21]: https://github.com/rust-lang/ferris-says/pull/21 [ferris-says#32]: https://github.com/rust-lang/ferris-says/pull/32

Metadata

Created: 2024-01-17T20:31:11Z
Modified: 2024-01-17T20:31:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-v363-rrf2-5fmj/GHSA-v363-rrf2-5fmj.json
CWE IDs: []
Alternative ID: N/A
Finding: F113
Auto approve: 1