{"id":"GHSA-jwh2-vrr9-vcp2","summary":"mz-avro's incorrect use of `set_len` allows for un-initialized memory","details":"Affected versions of this crate passes an uninitialized buffer to a user-provided `Read` \nimplementation.\n\nArbitrary `Read` implementations can read from the uninitialized buffer (memory exposure)\nand also can return incorrect number of bytes written to the buffer.\nReading from uninitialized memory produces undefined values that can quickly invoke\nundefined behavior.\n\nNote: there is only UB in the case where a user provides a struct whose `Read`\nimplementation inspects the buffer passed to `read_exact` before writing to it.\nThis is an unidiomatic (albeit possible) `Read` implementation.\n\nSee https://github.com/MaterializeInc/materialize/issues/8669 for details.\n","aliases":["RUSTSEC-2021-0138"],"modified":"2023-11-08T04:20:47.718056Z","published":"2022-08-30T19:53:54Z","database_specific":{"severity":"MODERATE","cwe_ids":[],"github_reviewed_at":"2022-08-30T19:53:54Z","nvd_published_at":null,"github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/MaterializeInc/materialize/issues/8669"},{"type":"PACKAGE","url":"https://github.com/MaterializeInc/materialize"},{"type":"WEB","url":"https://rustsec.org/advisories/RUSTSEC-2021-0138.html"}],"affected":[{"package":{"name":"mz-avro","ecosystem":"crates.io","purl":"pkg:cargo/mz-avro"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.7.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-jwh2-vrr9-vcp2/GHSA-jwh2-vrr9-vcp2.json"}}],"schema_version":"1.7.3"}