PT-2020-17633 · Rust · Array-Tools

Published

2020-12-31

Updated

2022-07-12

CVE-2020-36452

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions array-tools crate versions prior to 0.3.2

Description An issue in the array-tools crate causes memory corruption due to the drop of uninitialized memory when T::clone() panics in FixedCapacityDequeLike<T, A>::clone(). This occurs because affected versions of the crate do not guard against panics, leading to the partial initialization of a buffer that is then dropped. The FixedCapacityDequeLike::clone() function is specifically affected.

Recommendations For versions prior to 0.3.2, update to version 0.3.2 or later to resolve the issue. As a temporary workaround, consider implementing panic handling for T::clone() to prevent the drop of uninitialized memory in FixedCapacityDequeLike<T, A>::clone().

Fix

Use of Uninitialized Resource

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-909CWE-908

Related Identifiers

CVE-2020-36452

GHSA-6WP2-FW3V-MFMC

RUSTSEC-2020-0132

Affected Products

Array-Tools

PT-2020-17633 · Rust · Array-Tools

CVE-2020-36452

Weakness Enumeration

Related Identifiers

Affected Products

References · 10