GHSA-rcx8-48pc-v9q8

Опубликовано: 24 авг. 2023

Источник: github

Github: Прошло ревью

Описание

mail-internals use-after-free vulnerability in vec_insert_bytes

Incorrect reallocation logic in the function vec_insert_bytes causes a use-after-free.

This function does not have to be called directly to trigger the vulnerability because many methods on EncodingWriter call this function internally.

The mail-* suite is unmaintained and the upstream sources have been actively vandalised. A fixed mail-internals-ng (and mail-headers-ng and mail-core-ng) crate has been published which fixes this, and a dependency on another unsound crate.

Ссылки

https://github.com/rustsec/advisory-db/blob/main/crates/mail-internals/RUSTSEC-2023-0054.md
https://rustsec.org/advisories/RUSTSEC-2023-0054.html

Пакеты

Наименование

mail-internals

rust

Затронутые версииВерсия исправления

>= 0.2.0, <= 0.2.3

Отсутствует