PT-2019-19977 · Rust · Rand Core

Published

2019-04-19

Updated

2021-08-25

CVE-2020-25576

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions rand core versions prior to 0.4.2

Description An issue was discovered in the rand core crate where casting of byte slices to integer slices mishandles alignment constraints, resulting in undefined behavior. The functions rand core::BlockRng::next u64 and rand core::BlockRng::fill bytes are affected.

Recommendations For versions prior to 0.4.2, update to version 0.4.2 or later to resolve the issue. As a temporary workaround, consider avoiding the use of rand core::BlockRng::next u64 and rand core::BlockRng::fill bytes functions until the update is applied.

Fix

Incorrect Type Conversion or Cast

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-704

Related Identifiers

CVE-2020-25576

GHSA-MMC9-PWM7-QJ5W

RUSTSEC-2019-0035

Affected Products

Rand Core

PT-2019-19977 · Rust · Rand Core

CVE-2020-25576

Weakness Enumeration

Related Identifiers

Affected Products

References · 14