rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
8c05fea5fa6e1776c015b855eebaa344d00e28a7
advisory-db/crates/diesel/RUSTSEC-2021-0037.md
Alexis Mousset 8c05fea5fa Add cvss information from nvd (#1085)
2021-10-19 16:14:35 -06:00

1.2 KiB
Raw Blame History 

[advisory]
id = "RUSTSEC-2021-0037"
package = "diesel"
aliases = ["CVE-2021-28305"]
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
date = "2021-03-05"
url = "https://github.com/diesel-rs/diesel/pull/2663"
categories = ["memory-corruption"]
keywords = ["use after free"]

[affected]
functions = { "diesel::SqliteConnection::query_by_name" = ["< 1.4.6"] }
[versions]
patched = [">= 1.4.6"]

Fix a use-after-free bug in diesels Sqlite backend

We've misused sqlite3_column_name. The SQLite documentation states that the following:

The returned string pointer is valid until either the prepared statement is destroyed by sqlite3_finalize() or until the statement is automatically reprepared by the first call to sqlite3_step() for a particular run or until the next call to sqlite3_column_name() or sqlite3_column_name16() on the same column.

As part of our query_by_name infrastructure we've first received all field names for the prepared statement and stored them as string slices for later use. After that we called sqlite3_step() for the first time, which invalids the pointer and therefore the stored string slice.