CVE-2020-35923

Name of the Vulnerable Software and Affected Versions ordered-float crate versions prior to 1.1.1 ordered-float crate versions 2.x prior to 2.0.1

Description An issue was discovered where a NotNan value can contain a NaN after using assignment operators such as NotNan::add assign or NotNan::mul assign. This could cause undefined behavior in safe code due to the NotNan::cmp method containing internal unsafe code that assumes the value is never NaN. The issue could also cause undefined behavior in third-party unsafe code and logic errors in safe code. The flaw was partially mitigated in version 0.4.0 by panicking if the assigned value is NaN, but code using the NotNan value during unwinding or after catching the panic could still observe the invalid value and trigger undefined behavior.

Recommendations For ordered-float crate versions prior to 1.1.1, update to version 1.1.1 or later to fully correct the flaw. For ordered-float crate versions 2.x prior to 2.0.1, update to version 2.0.1 or later to fully correct the flaw.