rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
f27ebfd8d9e4c145a070081e85203fc66213f5da
advisory-db/advisories/RUSTSEC-2025-0137.html
github-actions f27ebfd8d9 Update gh-pages
2025-12-27 05:19:38 +00:00

220 lines
9.1 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta charset="utf-8">
<meta name="author" content="Rust Project Developers">
<meta name="description" content="Security advisory database for Rust crates published through https://crates.io">
<title>RUSTSEC-2025-0137: ruint: Unsoundness of safe `reciprocal_mg10` RustSec Advisory Database</title>
<link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,300italic,400italic" rel="stylesheet">
<link href="/css/basic.css" rel="stylesheet">
<link href="/css/highlight.css" rel="stylesheet">
<link href="/css/index.css" rel="stylesheet">
<script src="/js/index.js" defer></script>
<script src="/js/search.js" defer></script>
<header>
<div class="header-top">
<h1><a href="/"><img class="logo-image" src="/img/rustsec-logo.svg" /></a></h1>
<div class="search">
<form onsubmit="return searchform();">
<input type="search" id="search-term"
placeholder="Look up package or ID..." required
size="20">
</form>
</div>
</div>
<nav>
<div>
<a href="/">About</a>
<a href="/advisories/">Advisories</a>
<a href="/contributing.html">Report Vulnerabilities</a>
</div>
<div>
<a href="https://rust-lang.zulipchat.com/login/#narrow/stream/146229-wg-secure-code/" title="Zulip" aria-label="Zulip"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" style="height:1em;fill:currentColor"><path d="M473.09 122.97c0 22.69-10.19 42.85-25.72 55.08L296.61 312.69c-2.8 2.4-6.44-1.47-4.42-4.7l55.3-110.72c1.55-3.1-.46-6.91-3.64-6.91H129.36c-33.22 0-60.4-30.32-60.4-67.37 0-37.06 27.18-67.37 60.4-67.37h283.33c33.22-.02 60.4 30.3 60.4 67.35zM129.36 506.05h283.33c33.22 0 60.4-30.32 60.4-67.37 0-37.06-27.18-67.37-60.4-67.37H198.2c-3.18 0-5.19-3.81-3.64-6.91l55.3-110.72c2.02-3.23-1.62-7.1-4.42-4.7L94.68 383.6c-15.53 12.22-25.72 32.39-25.72 55.08 0 37.05 27.18 67.37 60.4 67.37zm522.5-124.15l124.78-179.6v-1.56H663.52v-48.98h190.09v34.21L731.55 363.24v1.56h124.01v48.98h-203.7V381.9zm338.98-230.14V302.6c0 45.09 17.1 68.03 47.43 68.03 31.1 0 48.2-21.77 48.2-68.03V151.76h59.09V298.7c0 80.86-40.82 119.34-109.24 119.34-66.09 0-104.96-36.54-104.96-120.12V151.76h59.48zm244.91 0h59.48v212.25h104.18v49.76h-163.66V151.76zm297 0v262.01h-59.48V151.76h59.48zm90.18 3.5c18.27-3.11 43.93-5.44 80.08-5.44 36.54 0 62.59 7 80.08 20.99 16.72 13.22 27.99 34.99 27.99 60.64 0 25.66-8.55 47.43-24.1 62.2-20.21 19.05-50.15 27.6-85.13 27.6-7.77 0-14.77-.39-20.21-1.17v93.69h-58.7V155.26zm58.7 118.96c5.05 1.17 11.27 1.55 19.83 1.55 31.49 0 50.92-15.94 50.92-42.76 0-24.1-16.72-38.49-46.26-38.49-12.05 0-20.21 1.17-24.49 2.33v77.37z"/></svg></a>
<a href="https://twitter.com/RustSec/" title="Twitter" aria-label="Twitter"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" style="height:1em;fill:currentColor"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg></a>
<a href="https://github.com/RustSec/" title="GitHub" aria-label="GitHub"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512" style="height:1em;fill:currentColor"><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg></a>
<a href="/feed.xml" title="Atom Feed" aria-label="Atom Feed"><svg xmlns="http://www.w3.org/2000/svg" style="height:1em" viewBox="0 0 8 8">
<style type="text/css">
.button {stroke: none; fill: currentColor;}
.symbol {stroke: none; fill-opacity: 0;}
</style>
<rect class="button" width="8" height="8" rx="1.5" />
<circle class="symbol" cx="2" cy="6" r="1" />
<path class="symbol" d="m 1,4 a 3,3 0 0 1 3,3 h 1 a 4,4 0 0 0 -4,-4 z" />
<path class="symbol" d="m 1,2 a 5,5 0 0 1 5,5 h 1 a 6,6 0 0 0 -6,-6 z" />
</svg></a>
</div>
</nav>
</header>
<main class="advisory">
<article>
<span class="floating-menu">
<a href="https://github.com/RustSec/advisory-db/commits/main/crates/ruint/RUSTSEC-2025-0137.md">History</a>
<a href="https://github.com/RustSec/advisory-db/edit/main/crates/ruint/RUSTSEC-2025-0137.md">Edit</a>
<a href="https://api.osv.dev/v1/vulns/RUSTSEC-2025-0137">JSON (OSV)</a>
</span>
<header>
<h1>
RUSTSEC-2025-0137
</h1>
<span class="subtitle"><p>Unsoundness of safe <code>reciprocal_mg10</code></p>
</span>
</header>
<dl>
<dt id="reported">Reported</dt>
<dd>
<time datetime="2025-12-22">
December 22, 2025
</time>
</dd>
<dt id="issued">Issued</dt>
<dd>
<time datetime="2025-12-24">
December 24, 2025
</time>
<time datetime="2025-12-27">
(last modified: December 27, 2025)
</time>
</dd>
<dt id="package">Package</dt>
<dd>
<a href="/packages/ruint.html">ruint</a>
(<a href="https://crates.io/crates/ruint">crates.io</a>)
</dd>
<dt id="type">Type</dt>
<dd>
Vulnerability
</dd>
<dt id="categories">Categories</dt>
<dd>
<ul>
<li><a href="/categories/memory-corruption.html">memory-corruption</a></li>
</ul>
</dd>
<dt id="keywords">Keywords</dt>
<dd>
<a href="/keywords/soundness.html">#soundness</a>
<a href="/keywords/out-of-bounds.html">#out-of-bounds</a>
</dd>
<dt id="aliases">Aliases</dt>
<dd>
<ul>
<li>
<a href="https://github.com/advisories/GHSA-9fjq-45qv-pcm7">GHSA-9fjq-45qv-pcm7</a>
</li>
</ul>
</dd>
<dt id="details">References</dt>
<dd>
<ul>
<li>
<a href="https://github.com/recmo/uint/issues/550">
https://github.com/recmo/uint/issues/550
</a>
</li>
</ul>
</dd>
<dt id="patched">Patched</dt>
<dd>
no patched versions
</dd>
</dl>
<dl>
<dt>Affected Functions</dt>
<dd>Version</dd>
<dt><code>ruint::algorithms::div::reciprocal_mg10</code></dt>
<dd>
<ul>
<li><code>&#60;1.17.0</code></li>
</ul>
</dd>
</dl>
<h3 id="description">Description</h3>
<p>The function <code>reciprocal_mg10</code> is marked as safe but can trigger undefined behavior (out-of-bounds access) because it relies on <code>debug_assert!</code> for safety checks instead of <code>assert!</code>.</p>
<p>When compiled in release mode, the <code>debug_assert!</code> is optimized out, potentially allowing invalid inputs to cause memory corruption.</p>
<p id="license" class="license">Advisory available under <a href="https://spdx.org/licenses/CC0-1.0.html">CC0-1.0</a>
license.
</p>
</article>
</main>
Reference in New Issue View Git Blame Copy Permalink