CVE-2019-16881

Name of the Vulnerable Software and Affected Versions portaudio-rs crate versions through 0.3.1

Description The issue is related to a lack of unwind safety in stream callback and stream finished callback functions, leading to a use-after-free condition that allows for arbitrary code execution. This occurs because the call to a user-provided closure might panic before a mem::forget call, causing a use-after-free that grants an attacker control over the callback function pointer. The flaw was reported by Phosphorus15.

Recommendations For portaudio-rs crate versions through 0.3.1, as a temporary workaround, consider disabling the stream callback and stream finished callback functions until a patch is available. Restrict access to these callback functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.