Опубликовано: 08 июл. 2024
Источник: github
Github: Прошло ревью
CVSS4: 6.9
CVSS3: 6.2
Описание
zerovec-derive incorrectly uses #[repr(packed)]
The affected versions make unsafe memory accesses under the assumption that #[repr(packed)] has a guaranteed field order.
The Rust specification does not guarantee this, and https://github.com/rust-lang/rust/pull/125360 (1.80.0-beta) starts
reordering fields of #[repr(packed)] structs, leading to illegal memory accesses.
The patched versions 0.9.7 and 0.10.3 use #[repr(C, packed)], which guarantees field order.
Пакеты
Наименование
zerovec-derive
rust
Затронутые версииВерсия исправления
>= 0.10.0, < 0.10.3
0.10.3
Наименование
zerovec-derive
rust
Затронутые версииВерсия исправления
< 0.9.7
0.9.7
6.9 Medium
CVSS4
6.2 Medium
CVSS3
Дефекты
CWE-120
6.9 Medium
CVSS4
6.2 Medium
CVSS3
Дефекты
CWE-120