{"id":"RUSTSEC-2021-0037","summary":"Fix a use-after-free bug in diesels Sqlite backend","details":"We've misused `sqlite3_column_name`. The\n[SQLite](https://www.sqlite.org/c3ref/column_name.html) documentation\nstates that the following:\n\n\u003e The returned string pointer is valid until either the prepared statement\n\u003e is destroyed by sqlite3_finalize() or until the statement is automatically\n\u003e reprepared by the first call to sqlite3_step() for a particular\n\u003e run or until the next call to sqlite3_column_name()\n\u003e or sqlite3_column_name16() on the same column.\n\nAs part of our `query_by_name` infrastructure we've first received all\nfield names for the prepared statement and stored them as string slices\nfor later use. After that we called `sqlite3_step()` for the first time,\nwhich invalids the pointer and therefore the stored string slice.","aliases":["CVE-2021-28305","GHSA-j8q9-5rp9-4mv9"],"modified":"2023-11-08T04:05:29.499484Z","published":"2021-03-05T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/diesel"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0037.html"},{"type":"WEB","url":"https://github.com/diesel-rs/diesel/pull/2663"}],"affected":[{"package":{"name":"diesel","ecosystem":"crates.io","purl":"pkg:cargo/diesel"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"1.4.6"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"functions":["diesel::SqliteConnection::query_by_name"],"os":[],"arch":[]}},"database_specific":{"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0037.json","cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","categories":["memory-corruption"]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}