CVE-2021-45703

Name of the Vulnerable Software and Affected Versions: tectonic xdv crate versions prior to 0.1.12

Description: An issue in the tectonic xdv crate allows XdvParser::::process to read from uninitialized memory locations. Affected versions of this crate pass an uninitialized buffer to a user-provided Read implementation. This can lead to memory exposure, as arbitrary Read implementations can read from the uninitialized buffer and return incorrect numbers of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior.

Recommendations: For versions prior to 0.1.12, update to version 0.1.12 or later, which includes the fix for this issue by zero-initializing the buffer before passing it to a user-provided Read implementation. As a temporary workaround, consider restricting the use of the XdvParser::<T>::process function until a patch is available. Avoid using arbitrary Read implementations with affected versions of the crate to minimize the risk of exploitation.