GHSA-r24f-hg58-vfrw – unsafe-libyaml

Package

Manager: cargo
Name: unsafe-libyaml
Vulnerable Version: >=0 <0.2.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

unsafe-libyaml unaligned write of u64 on 32-bit and 16-bit platforms Affected versions allocate memory using the alignment of `usize` and write data to it of type `u64`, without using `core::ptr::write_unaligned`. In platforms with sub-64bit alignment for `usize` (including wasm32 and x86) these writes are insufficiently aligned some of the time. If using an ordinary optimized standard library, the bug exhibits Undefined Behavior so may or may not behave in any sensible way, depending on optimization settings and hardware and other things. If using a Rust standard library built with debug assertions enabled, the bug manifests deterministically in a crash (non-unwinding panic) saying _"ptr::write requires that the pointer argument is aligned and non-null"_. No 64-bit platform is impacted by the bug. The flaw was corrected by allocating with adequately high alignment on all platforms.

Metadata

Created: 2023-12-21T18:14:34Z
Modified: 2023-12-21T18:14:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-r24f-hg58-vfrw/GHSA-r24f-hg58-vfrw.json
CWE IDs: []
Alternative ID: N/A
Finding: F138
Auto approve: 1