{"id":"RUSTSEC-2022-0067","summary":" Invalid use of `mem::uninitialized` causes `use-of-uninitialized-value`","details":"The compression and decompression function used `mem:uninitialized`\nto create an array of uninitialized values, to later write values into it.\nThis later leads to reads from uninitialized memory.\n\nThe flaw was corrected in commit b633bf265e41c60dfce3be7eac4e4dd5e18d06cf\nby using a heap-allocated `Vec` and removing out use of `mem::uninitialized`.\nThe fix was released in v0.3.2 and v1.0.0\n\nSubsequently the crate was deprecated and its use is discouraged.","aliases":["GHSA-5m39-wx2q-mxg3"],"modified":"2023-11-08T04:15:48.003089Z","published":"2022-10-22T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/lzf"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2022-0067.html"},{"type":"REPORT","url":"https://github.com/badboy/lzf-rs/issues/9"}],"affected":[{"package":{"name":"lzf","ecosystem":"crates.io","purl":"pkg:cargo/lzf"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.3.2"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"functions":["lzf::compress","lzf::decompress"],"arch":[],"os":[]}},"database_specific":{"categories":[],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0067.json","informational":"unsound","cvss":null}}],"schema_version":"1.7.3"}