Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add use after free advisory for lru crate #1125

Merged
merged 3 commits into from
Dec 21, 2021
Merged

Add use after free advisory for lru crate #1125

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e4c54e6
Add use after free advisory for lru crate
oherrala Dec 21, 2021
873d976
Add blockquotes
oherrala Dec 21, 2021
cca6f2b
Update RUSTSEC-0000-0000.md
Shnatsel Dec 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
25 changes: 25 additions & 0 deletions crates/lru/RUSTSEC-0000-0000.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "lru"
date = "2021-12-21"
url = "https://github.com/jeromefroe/lru-rs/issues/120"
categories = ["memory-corruption"]
keywords = ["use-after-free"]

[affected.functions]
"lru::LruCache::iter" = ["< 0.7.1"]
"lru::LruCache::iter_mut" = ["< 0.7.1"]

[versions]
patched = [">= 0.7.1"]
```

# Use after free in lru crate

Lru crate has use after free vulnerability.

Lru crate has two functions for getting an iterator. Both iterators give
references to key and value. Calling specific functions, like pop(), will remove
and free the value, and but it's still possible to access the reference of value
which is already dropped causing use after free.