CVE-2021-26308

Name of the Vulnerable Software and Affected Versions marc crate versions prior to 2.0.0

Description An issue was discovered in the marc crate for Rust, where a user-provided Read implementation can gain access to the old contents of newly allocated memory, violating soundness. The affected versions of this crate pass an uninitialized buffer to a user-provided Read implementation, specifically in the Record::read() function. This allows arbitrary Read implementations to read from the uninitialized buffer, potentially exposing memory and returning incorrect numbers of bytes written to the buffer. Reading from uninitialized memory can produce undefined values, leading to undefined behavior.

Recommendations For versions prior to 2.0.0, update to version 2.0.0 or later to fix the issue, as the flaw was fixed in commit 6299af0 by zero-initializing the newly allocated memory. As a temporary workaround, consider restricting the use of the Record::read() function until a patch is available. Additionally, avoid using arbitrary Read implementations with the affected versions of the marc crate to minimize the risk of exploitation.