CVE-2019-16214

Name of the Vulnerable Software and Affected Versions Libra Core versions prior to 2019-09-03

Description The issue arises from an erroneous regular expression for inline comments, making it easier for attackers to interfere with code auditing. This can be achieved by using a nonstandard line-break character for a comment. For instance, a Move module author can introduce a single-line comment with the // sequence, followed by brief comment text, the r character, and security-critical code. In many environments, this code appears on a separate line, potentially misleading readers into thinking it is executed. However, the code is not executed due to the comment continuation allowed after the r character in the language/compiler/ir to bytecode/src/parser.rs.

Recommendations For versions prior to 2019-09-03, update to a version released after 2019-09-03 to resolve the issue. As a temporary workaround, consider disabling the use of inline comments or restricting the use of nonstandard line-break characters in comments to minimize the risk of exploitation.