GHSA-GHPQ-VJXW-CH5W
Vulnerability from github – Published: 2021-08-25 20:56 – Updated: 2021-08-18 20:41Overview
Version 1.2.1 of the libpulse-binding Rust crate, released on the 15th of June 2018, fixed a pair of use-after-free issues with the objects returned by the get_format_info and get_context methods of Stream objects. These objects were mistakenly being constructed without setting an important flag to prevent destruction of the underlying C objects they reference upon their own destruction.
This advisory is being written retrospectively, having previously only been noted in the changelog. No CVE assignment was sought.
Patches
Users are required to update to version 1.2.1 or newer.
Versions older than 1.2.1 have been yanked from crates.io. This was believed to have already been done at the time of the 1.2.1 release, but upon double checking now they were found to still be available, so has been done now (22nd October 2020).
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "libpulse-binding"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-18T20:41:10Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Overview\n\nVersion 1.2.1 of the `libpulse-binding` Rust crate, released on the 15th of June 2018, fixed a pair of use-after-free issues with the objects returned by the `get_format_info` and `get_context` methods of `Stream` objects. These objects were mistakenly being constructed without setting an important flag to prevent destruction of the underlying C objects they reference upon their own destruction.\n\nThis advisory is being written retrospectively, having previously only been noted in the changelog. No CVE assignment was sought.\n\n### Patches\n\nUsers are required to update to version 1.2.1 or newer.\n\nVersions older than 1.2.1 have been yanked from crates.io. This was believed to have already been done at the time of the 1.2.1 release, but upon double checking now they were found to still be available, so has been done now (22nd October 2020).",
"id": "GHSA-ghpq-vjxw-ch5w",
"modified": "2021-08-18T20:41:10Z",
"published": "2021-08-25T20:56:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jnqnfe/pulse-binding-rust/security/advisories/GHSA-ghpq-vjxw-ch5w"
},
{
"type": "PACKAGE",
"url": "https://github.com/jnqnfe/pulse-binding-rust"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2018-0021.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Use after free in libpulse-binding"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.