Description

Unsound access to padding bytes while serializing date/time values using the Mysql backend Diesel-async uses the mysql-async crate for interacting with Mysql compatible databases. This library already provides access to deserialized data for date/time releated types. Diesel-async then translated these deserialized data back to their serialized binary representation to hook into diesels desearialization framework.

While serializing these data/time values again Diesel-async relied on a cast between the MysqlTime #[repr(C)] struct (defined by Diesel) and a byte array. As this cast exposes padding bytes contained in this struct, this is undefined behaviour.

This vulnerability affects any user deserializing date/time values using the Mysql backend and diesel-async.

This affects any usage of the following functions with a AsyncMysqlConnection provided by diesel-async:

diesel::serialize::FromSql<Timestamp, Mysql>

diesel::serialize::FromSql<Time, Mysql>

diesel::serialize::FromSql<Date, Mysql>

diesel::serialize::FromSql<DateTime, Mysql>

Mitigation

The preferred mitigation to the outlined problem is to update to Diesel-async version 0.9.0 or newer, which includes fixes for the problem.

Resolution

Diesel-async now just calls a safe serialization method provided by Diesel 2.3.9 and newer

Aliases