RUSTSEC-2021-0092
on 2021-01-26: Deserialization functions pass uninitialized memory to user-provided Read
This crate has no reviews yet. To add a review, set up your cargo-crev
.
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.
To review the actual code of the crate, it's best to use cargo crev open messagepack-rs
. Alternatively, you can download the tarball of messagepack-rs v0.8.1 or view the source online.
Affected versions of this crate passed an uninitialized buffer to a user-provided
Read
instance in:deserialize_binary
deserialize_string
deserialize_extension_others
deserialize_string_primitive
This can result in safe
Read
implementations reading from the uninitialized buffer leading to undefined behavior.CVE-2021-45690
CVE-2021-45691
CVE-2021-45692
CVE-2021-45693
GHSA-hr52-f9vp-582c
GHSA-jqjj-r4qp-x2gh
GHSA-jwfh-j623-m97h
GHSA-m325-rxjv-pwph
GHSA-vw5m-qw2r-m923