{"id":"RUSTSEC-2021-0070","summary":"VecStorage Deserialize Allows Violation of Length Invariant","details":"The `Deserialize` implementation for `VecStorage` did not maintain the invariant that the number of elements must equal `nrows * ncols`. Deserialization of specially crafted inputs could allow memory access beyond allocation of the vector.\n\nThis flaw was introduced in v0.11.0 ([`086e6e`](https://github.com/dimforge/nalgebra/commit/086e6e719f53fecba6dadad2e953a487976387f5)) due to the addition of an automatically derived implementation of `Deserialize` for `MatrixVec`. `MatrixVec` was later renamed to `VecStorage` in v0.16.13 ([`0f66403`](https://github.com/dimforge/nalgebra/commit/0f66403cbbe9eeac15cedd8a906c0d6a3d8841f2)) and continued to use the automatically derived implementation of `Deserialize`.\n\nThis flaw was corrected in commit [`5bff536`](https://github.com/dimforge/nalgebra/commit/5bff5368bf38ddfa31416e4ae9897b163031a513) by returning an error during deserialization if the number of elements does not exactly match the expected size.","aliases":["CVE-2021-38190","GHSA-3w8g-xr3f-2mp8"],"modified":"2023-11-08T04:06:25.921387Z","published":"2021-06-06T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/nalgebra"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0070.html"},{"type":"REPORT","url":"https://github.com/dimforge/nalgebra/issues/883"}],"affected":[{"package":{"name":"nalgebra","ecosystem":"crates.io","purl":"pkg:cargo/nalgebra"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.11.0"},{"fixed":"0.27.1"}]}],"ecosystem_specific":{"affects":{"arch":[],"functions":[],"os":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0070.json","informational":null,"cvss":null,"categories":["memory-corruption","memory-exposure"]}}],"schema_version":"1.7.3"}