Skip to content

owning_ref vulnerable to multiple soundness issues

Moderate severity GitHub Reviewed Published Aug 10, 2022 to the GitHub Advisory Database • Updated Jan 6, 2023

Package

cargo owning_ref (Rust)

Affected versions

<= 0.4.1

Patched versions

None

Description

  • OwningRef::map_with_owner is unsound and may result in a use-after-free.
  • OwningRef::map is unsound and may result in a use-after-free.
  • OwningRefMut::as_owner and OwningRefMut::as_owner_mut are unsound and may result in a use-after-free.
  • The crate violates Rust's aliasing rules, which may cause miscompilations on recent compilers that emit the LLVM noalias attribute.

No patched versions are available at this time. While a pull request with some fixes is outstanding, the maintainer appears to be unresponsive.

References

Published to the GitHub Advisory Database Aug 10, 2022
Reviewed Aug 10, 2022
Last updated Jan 6, 2023

Severity

Moderate

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-9qxh-258v-666c

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.