iana-time-zone v0.1.{43,44}: Use after free in MacOS / iOS implementation #1366
Conversation
| url = "https://github.com/strawlab/iana-time-zone/pull/54" | ||
| references = ["https://github.com/strawlab/iana-time-zone/pull/50#discussion_r945353515"] | ||
| categories = ["memory-corruption"] | ||
|
|
There was a problem hiding this comment.
@Kijewski btw may want to add informational = "unsound" here so it goes more as a warning instead of full error
But up to you - ought to give an option which one to use :)
There was a problem hiding this comment.
Thank you for the review! Yes, informational = "unsound" sounds like the right categorization. :)
There was a problem hiding this comment.
Great - Thank you for being responsible and proactive maintainer - welcome aboard contributing 🚢 🚀
There was a problem hiding this comment.
I also just realised this may have been memory-exposure vs memory-corruption ?
corruption is where attacker can potentially modify memory where as exposure is exposing random bits
if you would like to fix the category feel free to send another PR :)
There was a problem hiding this comment.
Yes, you are right. I opened #1368. :)
In iana-time-zone v0.1.43 a use-after-free bug in the MacOS / iOS implementation was introduced. The copied system time zone was released before its name was copied. If the system time zone was changed between the call of `CFRelease()` and `str::to_owned()`, random memory would be copied.
In iana-time-zone v0.1.43 a use-after-free bug in the MacOS / iOS implementation was introduced.
The copied system time zone was released before its name was copied.
If the system time zone was changed between the call of
CFReleaseandstr::to_owned(),random memory would be copied.