RUSTSEC-2021-0046 on 2021-02-17: misc::vec_with_size() can drop uninitialized memory if clone panics

misc::vec_with_size creates a vector of the provided size and immediately calls vec.set_len(size) on it, initially filling it with uninitialized memory. It then inserts elements using vec[i] = value.clone().

If the value.clone() call panics, uninitialized items in the vector will be dropped leading to undefined behavior.

CVE-2021-29937

GHSA-hpcx-3pw8-g3j2

This crate has no reviews yet. To add a review, set up your cargo-crev.


Lib.rs has been able to verify that all files in the crate's tarball, except Cargo.lock, are in the crate's repository. Please note that this check is still in beta, and absence of this confirmation does not mean that the files don't match.

Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories, so there is a possibility that published crates have a misleading repository URL, or contain different code from the code in the repository.

To review the actual code of the crate, it's best to use cargo crev open telemetry. Alternatively, you can download the tarball of telemetry v0.1.3 or view the source online.