Page 4 of 22 results (0.010 seconds)

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1

CVE-2021-28878 – rust: memory safety violation in Zip implementation when next_back() and next() are used together

https://notcve.org/view.php?id=CVE-2021-28878

In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are used together. This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait. En la biblioteca estándar en Rust versiones anteriores a 1.52.0, la implementación de Zip llama a la función __iterator_get_unchecked() más de una vez para el mismo índice (bajo determinadas condiciones) cuando las funciones next_back() y next() son usadas juntas. Este bug podría conllevar a una violación de seguridad de la memoria debido a un requisito de seguridad no cumplido para el rasgo TrustedRandomAccess • https://github.com/rust-lang/rust/issues/82291 https://github.com/rust-lang/rust/pull/82292 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CZ337CM4GFJLRDFVQCGC7J25V65JXOG5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFUO3URYCO73D2Q4WYJBWAMJWGGVXQO4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZG65GUW6Z2CYOQHF7T3TB5CZKIX6ZJE https://security.gentoo.org/glsa/202210-09 https://access.redhat • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

CVE-2019-16760 – Cargo prior to Rust 1.26.0 may download the wrong dependency

https://notcve.org/view.php?id=CVE-2019-16760

Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Usage of the `package` key to rename dependencies in `Cargo.toml` is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could be squatted on crates.io to be a malicious package. This not only affects manifests that you write locally yourself, but also manifests published to crates.io. Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will ignore the `package` key in manifests. • http://www.openwall.com/lists/oss-security/2019/10/08/3 https://gist.github.com/pietroalbini/0d293b24a44babbeb6187e06eebd4992 https://github.com/rust-lang/rust/security/advisories/GHSA-phjm-8x66-qw4r https://groups.google.com/forum/#%21topic/rustlang-security-announcements/rVQ5e3TDnpQ • CWE-16: Configuration CWE-494: Download of Code Without Integrity Check •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

CVE-2019-1010299

https://notcve.org/view.php?id=CVE-2019-1010299

The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. The impact is: Contents of uninitialized memory could be printed to string or to log file. The component is: Debug trait implementation for std::collections::vec_deque::Iter. The attack vector is: The program needs to invoke debug printing for iterator over an empty VecDeque. The fixed version is: 1.30.0, nightly versions after commit b85e4cc8fadaabd41da5b9645c08c68b8f89908d. • https://github.com/rust-lang/rust/issues/53566 https://github.com/rust-lang/rust/pull/53571/commits/b85e4cc8fadaabd41da5b9645c08c68b8f89908d • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-908: Use of Uninitialized Resource •

CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 1

CVE-2019-12083

https://notcve.org/view.php?id=CVE-2019-12083

The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, can violate Rust's safety guarantees and cause memory unsafety. If the `Error::type_id` method is overridden then any type can be safely cast to any other type, causing memory safety vulnerabilities in safe code (e.g., out-of-bounds write or read). Code that does not manually implement Error::type_id is unaffected. Rust Programming Language Standard Library, versiones 1.34.x anteriores a 1.34.2, contiene un método estabilizado que, si se anula, puede ignorar las garantías de seguridad de Rust y causar inseguridades en la memoria. Si el método `Error::type_id` es anulado, entonces cualquier tipo puede ser lanzado con seguridad a cualquier otro tipo, causando vulnerabilidades de seguridad de memoria en código seguro (por ejemplo, escritura o lectura fuera de límites). • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00076.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00031.html https://blog.rust-lang.org/2019/05/13/Security-advisory.html https://groups.google.com/forum/#%21topic/rustlang-security-announcements/aZabeCMUv70 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HG47HYH3AQTUMBUMX3S3G5DNAY4CBW6N https://lists.fedorapr • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •

CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0

CVE-2018-1000810

https://notcve.org/view.php?id=CVE-2018-1000810

The Rust Programming Language Standard Library version 1.29.0, 1.28.0, 1.27.2, 1.27.1, 127.0, 126.2, 126.1, 126.0 contains a CWE-680: Integer Overflow to Buffer Overflow vulnerability in standard library that can result in buffer overflow. This attack appear to be exploitable via str::repeat, passed a large number, can overflow an internal buffer. This vulnerability appears to have been fixed in 1.29.1. Rust Programming Language Standard Library en versiones 1.29.0, 1.28.0, 1.27.2, 1.27.1, 127.0, 126.2, 126.1 y 126.0 contiene una vulnerabilidad CWE-680: desbordamiento de enteros a desbordamiento de búfer en la biblioteca estándar que puede resultar en un desbordamiento de búfer. El ataque parece ser explotable mediante str::repeat (al pasar un número grande, puede desbordar un búfer interno). • https://blog.rust-lang.org/2018/09/21/Security-advisory-for-std.html https://groups.google.com/forum/#%21topic/rustlang-security-announcements/CmSuTm-SaU0 https://security.gentoo.org/glsa/201812-11 • CWE-190: Integer Overflow or Wraparound •