RUSTSEC-2023-0054
on 2023-08-07: Use-after-free in
vec_insert_bytes
This crate has no reviews yet. To add a review, set up your cargo-crev.
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.
To review the actual code of the crate, it's best to use cargo crev open mail-internals. Alternatively, you can download the tarball of mail-internals v0.2.3 or view the source online.
Incorrect reallocation logic in the function
vec_insert_bytescauses a use-after-free.This function does not have to be called directly to trigger the vulnerability because many methods on
EncodingWritercall this function internally.The mail-* suite is unmaintained and the upstream sources have been actively vandalised. A fixed
mail-internals-ng(andmail-headers-ngandmail-core-ng) crate has been published which fixes this, and a dependency on another unsound crate.GHSA-rcx8-48pc-v9q8