{"id":"RUSTSEC-2019-0014","summary":"Flaw in interface may drop uninitialized instance of arbitrary types","details":"Affected versions of this crate would call `Vec::set_len` on an uninitialized\nvector with user-provided type parameter, in an interface of the HDR image\nformat decoder. They would then also call other code that could panic before\ninitializing all instances.\n\nThis could run Drop implementations on uninitialized types, equivalent to\nuse-after-free, and allow an attacker arbitrary code execution.\n\nTwo different fixes were applied. It is possible to conserve the interface by\nensuring proper initialization before calling `Vec::set_len`. Drop is no longer\ncalled in case of panic, though.\n\nStarting from version `0.22`, a breaking change to the interface requires\ncallers to pre-allocate the output buffer and pass a mutable slice instead,\navoiding all unsafe code.","aliases":["CVE-2019-16138","GHSA-m2pf-hprp-3vqm"],"modified":"2023-11-08T04:01:16.102637Z","published":"2019-08-21T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/image"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2019-0014.html"},{"type":"WEB","url":"https://github.com/image-rs/image/pull/985"}],"affected":[{"package":{"name":"image","ecosystem":"crates.io","purl":"pkg:cargo/image"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.10.2"},{"fixed":"0.21.3"}]}],"ecosystem_specific":{"affects":{"functions":["image::hdr::HDRDecoder::read_image_transform"],"arch":[],"os":[]},"affected_functions":null},"database_specific":{"categories":[],"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2019-0014.json","cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}