logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

RUSTSEC-2022-0034 pkcs11

Package

Manager: cargo
Name: pkcs11
Vulnerable Version: >=0.0.0-0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Safety issues in `pkcs11` ### Impact The interface of `pkcs11` is subject to a number of safety issues, mainly related to handling of raw pointers. Despite presenting a safe interface, many of the functions and methods that rely on inputs which contain pointers (attributes and mechanisms in particular) can lead to segmentation faults and undefined behaviour when those pointers get dereferenced. For more details see the issues referenced below. Other problems that have been identified by the community include use-after-free ([mheese/rust-pkcs11#53](https://github.com/mheese/rust-pkcs11/pull/53)) and unsound uses of `transmute_copy` ([mheese/rust-pkcs11#55](https://github.com/mheese/rust-pkcs11/issues/55)). ### Workarounds Users of the crate need to be _extremely_ careful in all the calls made to avoid segmentation faults and undefined behaviour due to use of stale pointers. Whenever a pointer is derived from a value and passed to the library, that value's lifetime must be guaranteed to outlast all calls that rely on the pointer. For example, users should **avoid** creating or converting values within a separate scope (say, in a dedicated function), deriving a pointer, then extracting the pointer from that scope leaving the value to get dropped before passing the pointer to `pkcs11`. ### References - [mheese/rust-pkcs11#38](https://github.com/mheese/rust-pkcs11/issues/38) - [mheese/rust-pkcs11#53](https://github.com/mheese/rust-pkcs11/pull/53) - [mheese/rust-pkcs11#55](https://github.com/mheese/rust-pkcs11/issues/55) - [mheese/rust-pkcs11#54](https://github.com/mheese/rust-pkcs11/issues/54) - [mheese/rust-pkcs11#50](https://github.com/mheese/rust-pkcs11/issues/50)

Metadata

Created: 2022-07-22T12:00:00Z
Modified: 2022-07-25T17:19:15Z
Source: https://osv-vulnerabilities
CWE IDs: N/A
Alternative ID: N/A
Finding: F138
Auto approve: 1