CVE-2020-25016

Name of the Vulnerable Software and Affected Versions rgb crate versions prior to 0.8.20

Description A safety issue was discovered in the rgb crate, which can lead to dereferencing of arbitrary pointers or disclosure of uninitialized memory. This occurs because structs can be treated as bytes for read and write operations, and the crate does not correctly constrain wrapper structures to safe types. If a type T wrapped in RGB<T> contains padding, viewing it as bytes may expose contents of uninitialized memory. If T contains a pointer, modifying it as bytes may lead to dereferencing of arbitrary pointers. Any safety and/or validity invariants for T may be violated.

Recommendations For versions prior to 0.8.20, the issue was resolved by requiring all types wrapped in structures provided by the RGB crate to implement an unsafe marker trait. Update to version 0.8.20 or later to resolve the issue. As a temporary workaround, consider restricting the use of the RGB<T> wrapper structure until the update is applied.