CVE-2020-15254 - log back

CVE-2020-15254 edited at 02 Nov 2020 11:09:37
Description
- An undefined behaviour leading to memory corruption issues has been found in the crossbeam rust crate <= 0.4.3. The affected version of this crate's the bounded channel incorrectly assumes that Vec::from_iter has allocated capacity that same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when Vec::from_iter has allocated different sizes with the number of iterator elements.
+ An undefined behaviour leading to memory corruption issues has been found in the crossbeam rust crate <= 0.4.3. The "bounded" channel incorrectly assumes that "Vec::from_iter" has allocated enough capacity for the number of iterator elements. "Vec::from_iter" does not actually guarantee that and may allocate extra memory. The destructor of the "bounded" channel reconstructs "Vec" from the raw pointer based on the incorrect assumptions described above. This is unsound and causing deallocation with the incorrect capacity when the size allocated by "Vec::from_iter" differs from the number of iterator elements.
CVE-2020-15254 edited at 02 Nov 2020 07:57:38
Severity
- Unknown
+ Critical
Remote
- Unknown
+ Remote
Type
- Unknown
+ Arbitrary code execution
Description
+ An undefined behaviour leading to memory corruption issues has been found in the crossbeam rust crate <= 0.4.3. The affected version of this crate's the bounded channel incorrectly assumes that Vec::from_iter has allocated capacity that same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when Vec::from_iter has allocated different sizes with the number of iterator elements.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2020-45/#CVE-2020-15254
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1668514
+ https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-v5m7-53cv-f3hx
Notes
CVE-2020-15254 created at 28 Oct 2020 22:13:36