CVE-2021-45694

Name of the Vulnerable Software and Affected Versions: rdiff crate versions through 0.1.2

Description: The issue arises when the rdiff crate uses the return value of a Read instance to set the length of its internal character vector. If the Read implementation claims to have read more bytes than the length of the provided buffer, the length of the vector will be set to longer than its capacity. This causes rdiff APIs to return uninitialized memory in its API methods. The rdiff crate performs a diff of two provided strings or files.

Recommendations: For versions through 0.1.2, as a temporary workaround, consider restricting the use of the rdiff crate until a patch is available. Avoid using the rdiff APIs that return uninitialized memory to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.