-
Notifications
You must be signed in to change notification settings - Fork 377
/
Copy pathRUSTSEC-2023-0035.json
66 lines (66 loc) · 2.16 KB
/
RUSTSEC-2023-0035.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
{
"schema_version": null,
"id": "RUSTSEC-2023-0035",
"modified": "2023-06-13T13:10:24Z",
"published": "2023-04-17T12:00:00Z",
"aliases": [
"GHSA-qvc4-78gw-pv8p"
],
"related": [],
"summary": "Adverserial use of `make_bitflags!` macro can cause undefined behavior",
"details": "The macro relied on an expression of the form `Enum::Variant` always being a\nvariant of the enum. However, it may also be an associated integer constant, in\nwhich case there's no guarantee that the value of said constant consists only of\nbits valid for this bitflag type.\n\nThus, code like this could create an invalid `BitFlags<Test>`, which would cause\niterating over it to trigger undefined behavior. As the debug formatter\ninternally iterates over the value, it is also affected.\n\n```rust\nuse enumflags2::{bitflags, make_bitflags};\n\n#[bitflags]\n#[repr(u8)]\n#[derive(Copy, Clone, Debug)]\nenum Test {\n A = 1,\n B = 2,\n}\n\nimpl Test {\n const C: u8 = 69;\n}\n\nfn main() {\n let x = make_bitflags!(Test::{C});\n // printing or iterating over x is UB\n}\n```",
"severity": [],
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "enumflags2",
"purl": "pkg:cargo/enumflags2"
},
"ecosystem_specific": {
"affects": {
"arch": [],
"os": [],
"functions": []
},
"affected_functions": null
},
"database_specific": {
"categories": [],
"cvss": null,
"informational": "unsound"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.7.0"
},
{
"fixed": "0.7.7"
}
]
}
],
"versions": []
}
],
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/enumflags2"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2023-0035.html"
},
{
"type": "WEB",
"url": "https://github.com/meithecatte/enumflags2/releases/tag/v0.7.7"
}
],
"database_specific": {
"license": "CC0-1.0"
}
}