CVE-2021-29937

Name of the Vulnerable Software and Affected Versions telemetry crate versions through 0.1.2 telemetry crate versions through 2021-02-17

Description An issue was discovered in the telemetry crate where there is a drop of uninitialized memory if a value.clone() call panics within misc::vec with size(). The misc::vec with size function creates a vector of the provided size and immediately calls vec.set len(size) on it, initially filling it with uninitialized memory. It then inserts elements using vec[i] = value.clone(). If the value.clone() call panics, uninitialized items in the vector will be dropped leading to undefined behavior.

Recommendations For versions through 0.1.2, consider disabling the misc::vec with size function until a patch is available. For versions through 2021-02-17, restrict access to the misc::vec with size function to minimize the risk of exploitation. As a temporary workaround, avoid using the value.clone() call within the misc::vec with size function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.