{"id":"RUSTSEC-2018-0003","summary":"Possible double free during unwinding in SmallVec::insert_many","details":"If an iterator passed to `SmallVec::insert_many` panicked in `Iterator::next`,\ndestructors were run during unwinding while the vector was in an inconsistent\nstate, possibly causing a double free (a destructor running on two copies of\nthe same value).\n\nThis is fixed in smallvec 0.6.3 by ensuring that the vector's length is not\nupdated to include moved items until they have been removed from their\noriginal positions.  Items may now be leaked if `Iterator::next` panics, but\nthey will not be dropped more than once.\n\nThank you to @Vurich for reporting this bug.","aliases":["CVE-2018-20991","GHSA-rxr4-x558-x7hw"],"modified":"2023-11-08T04:00:13.368337Z","published":"2018-07-19T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/smallvec"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2018-0003.html"},{"type":"REPORT","url":"https://github.com/servo/rust-smallvec/issues/96"}],"affected":[{"package":{"name":"smallvec","ecosystem":"crates.io","purl":"pkg:cargo/smallvec"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.3.2"},{"fixed":"0.3.4"},{"introduced":"0.4.0-0"},{"fixed":"0.4.5"},{"introduced":"0.5.0-0"},{"fixed":"0.5.1"},{"introduced":"0.6.0-0"},{"fixed":"0.6.3"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"os":[],"arch":[],"functions":[]}},"database_specific":{"cvss":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","categories":[],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2018-0003.json","informational":null}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}