From 3436ad83d54eafa7e3bad5ddbf3dd0d9d9b5163e Mon Sep 17 00:00:00 2001 From: Alexander Huszagh Date: Mon, 16 Sep 2024 09:15:37 -0500 Subject: [PATCH] Add lexical-core advisory. (#2082) * Add lexical-core advisory. * No need to list alternatives now that a patched version is available * Better description of 1.0 changes * Change to RUSTSEC-0000-0000 for ID assignment to work properly * List RUSTSEC-2023-0055 as a related advisory * Correct package name --------- Co-authored-by: Sergey "Shnatsel" Davidoff --- crates/lexical-core/RUSTSEC-0000-0000.md | 24 ++++++++++++++++++++++++ crates/lexical/RUSTSEC-2023-0055.md | 3 ++- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 crates/lexical-core/RUSTSEC-0000-0000.md diff --git a/crates/lexical-core/RUSTSEC-0000-0000.md b/crates/lexical-core/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..7582de0a1 --- /dev/null +++ b/crates/lexical-core/RUSTSEC-0000-0000.md @@ -0,0 +1,24 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "lexical-core" +date = "2023-09-03" +informational = "unsound" +references = ["https://github.com/Alexhuszagh/rust-lexical/issues/102", "https://github.com/Alexhuszagh/rust-lexical/issues/101", "https://github.com/Alexhuszagh/rust-lexical/issues/95", "https://github.com/Alexhuszagh/rust-lexical/issues/104", "https://github.com/Alexhuszagh/rust-lexical/issues/126"] +related = ["RUSTSEC-2023-0055"] + +[versions] +patched = [">= 1.0.0"] +``` + +# Multiple soundness issues + +`RUSTSEC-2024-0377` contains multiple soundness issues: + + 1. [Bytes::read() allows creating instances of types with invalid bit patterns](https://github.com/Alexhuszagh/rust-lexical/issues/102) + 1. [BytesIter::read() advances iterators out of bounds](https://github.com/Alexhuszagh/rust-lexical/issues/101) + 1. [The `BytesIter` trait has safety invariants but is public and not marked `unsafe`](https://github.com/Alexhuszagh/rust-lexical/issues/104) + 1. [`write_float()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/95) + 1. [`radix()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/126) + +Version 1.0 fixes these issues, removes the vast majority of `unsafe` code, and also fixes some correctness issues. diff --git a/crates/lexical/RUSTSEC-2023-0055.md b/crates/lexical/RUSTSEC-2023-0055.md index b169d9cd1..d6b0bbf2d 100644 --- a/crates/lexical/RUSTSEC-2023-0055.md +++ b/crates/lexical/RUSTSEC-2023-0055.md @@ -4,7 +4,7 @@ id = "RUSTSEC-2023-0055" package = "lexical" date = "2023-09-03" informational = "unsound" -references = ["https://github.com/Alexhuszagh/rust-lexical/issues/102", "https://github.com/Alexhuszagh/rust-lexical/issues/101", "https://github.com/Alexhuszagh/rust-lexical/issues/95", "https://github.com/Alexhuszagh/rust-lexical/issues/104"] +references = ["https://github.com/Alexhuszagh/rust-lexical/issues/102", "https://github.com/Alexhuszagh/rust-lexical/issues/101", "https://github.com/Alexhuszagh/rust-lexical/issues/95", "https://github.com/Alexhuszagh/rust-lexical/issues/104", "https://github.com/Alexhuszagh/rust-lexical/issues/126"] aliases = ["GHSA-c2hm-mjxv-89r4"] [versions] @@ -19,6 +19,7 @@ patched = [">= 7.0.0"] 1. [BytesIter::read() advances iterators out of bounds](https://github.com/Alexhuszagh/rust-lexical/issues/101) 1. [The `BytesIter` trait has safety invariants but is public and not marked `unsafe`](https://github.com/Alexhuszagh/rust-lexical/issues/104) 1. [`write_float()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/95) + 1. [`radix()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/126) The crate also has some correctness issues.