CVE-2021-26953

Name of the Vulnerable Software and Affected Versions: postscript crate versions prior to 0.14.0

Description: The issue allows attackers to obtain sensitive information from uninitialized memory locations via a user-provided Read implementation. Affected versions of the crate pass an uninitialized buffer to a user-provided Read implementation, which can read from the uninitialized buffer, causing memory exposure, and return an incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior.

Recommendations: For versions prior to 0.14.0, update to version 0.14.0 or later, which includes the fix for this issue by zero-initializing the buffer before handing it to a user-provided Read implementation. As a temporary workaround, consider restricting the use of user-provided Read implementations until the issue is resolved.