CVE-2021-43620

Name of the Vulnerable Software and Affected Versions: fruity crate versions through 0.2.0

Description: An issue was discovered in the fruity crate where security-relevant validation of filename extensions is plausibly affected. Methods of NSString for conversion to a string may return a partial result because they call CStr::from ptr on a pointer to the string buffer, which is terminated at the first null byte, potentially not the end of the string. This could allow for bypassing file extension checks, for example, by adding an accepted extension after a null byte. The implementations of Display, PartialEq, PartialOrd, and ToString for NSString are also affected.

Recommendations: For fruity crate versions through 0.2.0, consider generating unique names for files instead of using user-provided names to minimize the risk of exploitation. As a temporary workaround, restrict the use of NSString for path validation until a patch is available. Avoid using user-provided file names that may contain null bytes to prevent potential bypassing of file extension checks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.