CVE-2021-29930

Name of the Vulnerable Software and Affected Versions arenavec crate versions through 2021-01-12 arenavec crate versions through 0.1.1

Description The issue concerns the arenavec crate for Rust, where a drop of uninitialized memory can occur upon a panic in T::default(). This happens because affected versions of the crate did not guard against potential panics from user-provided functions T::default() and T::drop(). A panic within T::default() leads to dropping uninitialized T when invoked from common::Slice::<T, H>::new(). A panic within T::drop() leads to a double drop of T when invoked from either common::SliceVec::<T, H>::resize with() or common::SliceVec::<T, H>::resize(). Either case causes memory corruption in the heap memory.

Recommendations For versions through 2021-01-12, consider disabling the T::default() and T::drop() functions until a patch is available to prevent potential panics. For versions through 0.1.1, restrict access to common::Slice::<T, H>::new(), common::SliceVec::<T, H>::resize with(), and common::SliceVec::<T, H>::resize() to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.