-
Notifications
You must be signed in to change notification settings - Fork 370
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add lexical-core advisory. * No need to list alternatives now that a patched version is available * Better description of 1.0 changes * Change to RUSTSEC-0000-0000 for ID assignment to work properly * List RUSTSEC-2023-0055 as a related advisory * Correct package name --------- Co-authored-by: Sergey "Shnatsel" Davidoff <[email protected]>
- Loading branch information
1 parent
2e0d528
commit 3436ad8
Showing
2 changed files
with
26 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
```toml | ||
[advisory] | ||
id = "RUSTSEC-0000-0000" | ||
package = "lexical-core" | ||
date = "2023-09-03" | ||
informational = "unsound" | ||
references = ["https://github.com/Alexhuszagh/rust-lexical/issues/102", "https://github.com/Alexhuszagh/rust-lexical/issues/101", "https://github.com/Alexhuszagh/rust-lexical/issues/95", "https://github.com/Alexhuszagh/rust-lexical/issues/104", "https://github.com/Alexhuszagh/rust-lexical/issues/126"] | ||
related = ["RUSTSEC-2023-0055"] | ||
|
||
[versions] | ||
patched = [">= 1.0.0"] | ||
``` | ||
|
||
# Multiple soundness issues | ||
|
||
`RUSTSEC-2024-0377` contains multiple soundness issues: | ||
|
||
1. [Bytes::read() allows creating instances of types with invalid bit patterns](https://github.com/Alexhuszagh/rust-lexical/issues/102) | ||
1. [BytesIter::read() advances iterators out of bounds](https://github.com/Alexhuszagh/rust-lexical/issues/101) | ||
1. [The `BytesIter` trait has safety invariants but is public and not marked `unsafe`](https://github.com/Alexhuszagh/rust-lexical/issues/104) | ||
1. [`write_float()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/95) | ||
1. [`radix()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/126) | ||
|
||
Version 1.0 fixes these issues, removes the vast majority of `unsafe` code, and also fixes some correctness issues. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters