From 633fd6e2956d7b153bce89c48f5bc15e01aa05d6 Mon Sep 17 00:00:00 2001
From: JOE1994 <joseph942010@gmail.com>
Date: Tue, 19 Jan 2021 01:11:19 -0500
Subject: [PATCH] calamine: access unclaimed/uninitialized memory

---
 crates/calamine/RUSTSEC-0000-0000.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 crates/calamine/RUSTSEC-0000-0000.md

diff --git a/crates/calamine/RUSTSEC-0000-0000.md b/crates/calamine/RUSTSEC-0000-0000.md
new file mode 100644
index 000000000..7dfd9a25a
--- /dev/null
+++ b/crates/calamine/RUSTSEC-0000-0000.md
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "calamine"
+date = "2021-01-06"
+url = "https://github.com/tafia/calamine/issues/199"
+categories = ["memory-corruption", "memory-exposure"]
+
+[versions]
+patched = []
+```
+
+# `Sectors::get` accesses unclaimed/uninitialized memory
+
+Affected versions of this crate arbitrarily calls `Vec::set_len` to increase length of a vector without claiming more memory for the vector. Affected versions of this crate
+also calls user-provided `Read` on the uninitialized memory of the vector that was
+extended with `Vec::set_len`.
+
+This can overwrite active entities in adjacent heap memory and seems to be a major security issue. Also, calling user-provided `Read` on uninitialized memory is defined as UB in Rust.