{"id":"RUSTSEC-2023-0057","summary":"Fails to prohibit standard library access prior to initialization of Rust standard library runtime","details":"Affected versions allow arbitrary caller-provided code to execute before the\nlifetime of `main`.\n\nIf the caller-provided code accesses particular pieces of the standard library\nthat require an initialized Rust runtime, such as `std::io` or `std::thread`,\nthese may not behave as documented. Panics are likely; UB is possible.\n\nThe flaw was corrected by enforcing that only code written within the\n`inventory` crate, which is guaranteed not to access runtime-dependent parts of\nthe standard library, runs before `main`. Caller-provided code is restricted to\nrunning at compile time.","aliases":["GHSA-ghc8-5cgm-5rpf"],"modified":"2024-02-10T16:26:48.633370Z","published":"2023-09-10T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/inventory"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2023-0057.html"},{"type":"WEB","url":"https://github.com/dtolnay/inventory/pull/43"}],"affected":[{"package":{"name":"inventory","ecosystem":"crates.io","purl":"pkg:cargo/inventory"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.2.0"}]}],"ecosystem_specific":{"affects":{"functions":[],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0057.json","cvss":null,"informational":"unsound","categories":[]}}],"schema_version":"1.7.3"}