CVE-2021-26951

Name of the Vulnerable Software and Affected Versions: calamine versions prior to 0.17.0

Description: The issue allows attackers to overwrite heap-memory locations because Vec::set len is used without proper memory claiming. This uninitialized memory is then used for a user-provided Read operation. The problem arises when affected versions of the crate call Vec::set len to increase the length of a vector without claiming more memory for it, and then call user-provided Read on the uninitialized memory of the extended vector. This can lead to overwriting active entities in adjacent heap memory and is considered a major security issue. Additionally, calling user-provided Read on uninitialized memory is undefined behavior in Rust.

Recommendations: For versions prior to 0.17.0, update to version 0.17.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of Vec::set len to increase the length of vectors without proper memory claiming, and refrain from calling user-provided Read on uninitialized memory. Restrict access to the Sectors::get function until the issue is resolved.