{"id":"RUSTSEC-2021-0012","summary":"Reading uninitialized memory can cause UB (`Deserializer::read_vec`)","details":"`Deserializer::read_vec()` created an uninitialized buffer and passes it to a user-provided `Read` implementation (`Deserializer.reader.read_exact()`).\n\nPassing an uninitialized buffer to an arbitrary `Read` implementation is currently defined as undefined behavior in Rust. Official documentation for the `Read` trait explains the following: \"It is your responsibility to make sure that buf is initialized before calling read. Calling read with an uninitialized buf (of the kind one obtains via MaybeUninit\u003cT\u003e) is not safe, and can lead to undefined behavior.\"\n\nThe flaw was corrected in commit ce310f7 by zero-initializing the newly allocated buffer before handing it to `Deserializer.reader.read_exact()`.","aliases":["CVE-2021-26305","GHSA-37jj-wp7g-7wj4"],"modified":"2023-11-08T04:05:20.783188Z","published":"2021-01-02T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/cdr"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0012.html"},{"type":"REPORT","url":"https://github.com/hrektts/cdr-rs/issues/10"}],"affected":[{"package":{"name":"cdr","ecosystem":"crates.io","purl":"pkg:cargo/cdr"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.2.4"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"functions":[],"os":[]}},"database_specific":{"categories":["memory-exposure"],"informational":null,"cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0012.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}