Skip to content

lexical-core has multiple soundness issues

Low severity GitHub Reviewed Published Sep 16, 2024 to the GitHub Advisory Database • Updated Sep 16, 2024

Package

cargo lexical-core (Rust)

Affected versions

< 1.0.0

Patched versions

1.0.0

Description

RUSTSEC-2024-0377 contains multiple soundness issues:

  1. Bytes::read() allows creating instances of types with invalid bit patterns
  2. BytesIter::read() advances iterators out of bounds
  3. The BytesIter trait has safety invariants but is public and not marked unsafe
  4. write_float() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine
  5. radix() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine

Version 1.0 fixes these issues, removes the vast majority of unsafe code, and also fixes some correctness issues.

References

Published to the GitHub Advisory Database Sep 16, 2024
Reviewed Sep 16, 2024
Last updated Sep 16, 2024

Severity

Low

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-2326-pfpj-vx3h

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.