advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard

Published 20 hours ago verified publisher icon rustsec

`zerovec` vulnerability

Open robertbastian opened this issue 1 year ago • 3 comments

cc @Manishearth

robertbastian avatar Jul 02 '24 16:07 robertbastian

Does it really need to be filed for both crates? If one pulls in the other, that’s sufficient.

tarcieri avatar Jul 02 '24 16:07 tarcieri

It's possible (but unlikely) to be in a setup of [email protected] and [email protected]. This is a vulnerable combination.

Edit: zerovec only pulls in zerovec-derive with the derive feature, that could be off with a client manually importing zerovec-derive.

robertbastian avatar Jul 02 '24 16:07 robertbastian

@tarcieri the vulns are present in both crates independently: the derive macro doesn't enforce C, packed, and the manual impls in the zerovec crate also don't have C, packed.

Manishearth avatar Jul 02 '24 17:07 Manishearth