rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity

Assigned RUSTSEC-2025-0053 to arenavec

Browse Source
This commit is contained in:
djc
2025-09-01 07:58:17 +00:00
committed by Dirkjan Ochtman
parent 835b4f6331
commit ed23fda8bc
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.duplicate-id-guard
View File

@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
ca6ad962992b5084a9d9f1c7fdd86e86515f9608997d1d62963e1f60cbd436b0 -
9a01a60d704d21710008e1cbda0135d3ab4b33923d77f677c5d11f1450f9eec4 -

4
crates/arenavec/RUSTSEC-0000-0000.md → crates/arenavec/RUSTSEC-2025-0053.md
View File

@@ -1,6 +1,6 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
id = "RUSTSEC-2025-0053"
package = "arenavec"
date = "2025-08-14"
@@ -28,4 +28,4 @@ The crate has the following vulnerabilities:
- The safe API `arenavec::common::SliceVec::reserve` can reach the private function `arenavec::common::allocate_inner`. Incorrect behavior in `allocate_inner` may result in a `SliceVec` with an increased capacity, even though the underlying memory has not actually been expanded. This mismatch between `SliceVec.capacity` and the actual reserved memory can lead to a heap buffer overflow.
- The safe API `arenavec::common::SliceVec::split_off` can duplicate the ownership of the elements in `self` (of type `SliceVec`) if they implement the `Drop` trait. Specifically, when `at == 0`, the method returns a new `SliceVec` with the same length as `self`. Since both `self` and the returned object point to the same heap memory, dropping one will deallocate the shared memory. When the other is subsequently dropped, it will attempt to free the same memory again, resulting in a double free violation.
- The safe API `arenavec::common::SliceVec::split_off` can duplicate the ownership of the elements in `self` (of type `SliceVec`) if they implement the `Drop` trait. Specifically, when `at == 0`, the method returns a new `SliceVec` with the same length as `self`. Since both `self` and the returned object point to the same heap memory, dropping one will deallocate the shared memory. When the other is subsequently dropped, it will attempt to free the same memory again, resulting in a double free violation.