{"id":"RUSTSEC-2021-0015","summary":"`Sectors::get` accesses unclaimed/uninitialized memory","details":"Affected versions of this crate arbitrarily calls `Vec::set_len` to increase length of a vector without claiming more memory for the vector. Affected versions of this crate\nalso calls user-provided `Read` on the uninitialized memory of the vector that was\nextended with `Vec::set_len`.\n\nThis can overwrite active entities in adjacent heap memory and seems to be a major security issue. Also, calling user-provided `Read` on uninitialized memory is defined as UB in Rust.","aliases":["CVE-2021-26951","GHSA-ppqp-78xx-3r38"],"modified":"2023-11-08T04:05:22.828925Z","published":"2021-01-06T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/calamine"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0015.html"},{"type":"REPORT","url":"https://github.com/tafia/calamine/issues/199"}],"affected":[{"package":{"name":"calamine","ecosystem":"crates.io","purl":"pkg:cargo/calamine"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.17.0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"os":[],"functions":[],"arch":[]}},"database_specific":{"cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0015.json","categories":["memory-corruption","memory-exposure"]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}