Add use after free advisory for lru crate (#1125)

* Add use after free advisory for lru crate * Add blockquotes * Update RUSTSEC-0000-0000.md Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
rustsec · Dec 21, 2021 · 2fc8681 · 2fc8681
1 parent bfcafe5
commit 2fc8681
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/crates/lru/RUSTSEC-0000-0000.md b/crates/lru/RUSTSEC-0000-0000.md
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "lru"
+date = "2021-12-21"
+url = "https://github.com/jeromefroe/lru-rs/issues/120"
+categories = ["memory-corruption"]
+keywords = ["use-after-free"]
+
+[affected.functions]
+"lru::LruCache::iter" = ["< 0.7.1"]
+"lru::LruCache::iter_mut" = ["< 0.7.1"]
+
+[versions]
+patched = [">= 0.7.1"]
+```
+
+# Use after free in lru crate
+
+Lru crate has use after free vulnerability.
+
+Lru crate has two functions for getting an iterator. Both iterators give
+references to key and value. Calling specific functions, like pop(), will remove
+and free the value, and but it's still possible to access the reference of value
+which is already dropped causing use after free.