Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2020-0146: arr! macro erases lifetimes #2714

Closed
github-actions bot opened this issue Mar 1, 2021 · 7 comments
Closed

RUSTSEC-2020-0146: arr! macro erases lifetimes #2714

github-actions bot opened this issue Mar 1, 2021 · 7 comments

Comments

@github-actions
Copy link

github-actions bot commented Mar 1, 2021

arr! macro erases lifetimes

Details
Package generic-array
Version 0.12.3
URL fizyk20/generic-array#98
Date 2020-04-09
Patched versions >=0.14.0
Unaffected versions <0.8.0

Affected versions of this crate allowed unsoundly extending
lifetimes using arr! macro. This may result in a variety of
memory corruption scenarios, most likely use-after-free.

See advisory page for additional details.
@delta1
Copy link
Contributor

delta1 commented Mar 2, 2021

Tracked this down to tari-crypto dep on blake2 > crypto-mac > generic-array

Will make an issue in tari-crypto

cargo tree

│   ├── tari_crypto v0.8.2
│   │   ├── blake2 v0.8.1
│   │   │   ├── byte-tools v0.3.1
│   │   │   ├── crypto-mac v0.7.0
│   │   │   │   ├── generic-array v0.12.3

@delta1 delta1 mentioned this issue Mar 2, 2021
Closed
@mbrubeck
Copy link

mbrubeck commented Mar 2, 2021
edited
Loading

A patched version generic-array 0.12.4 is now available, so you can fix this without any changes to tari_crypto, by running:

cargo update -p generic-array:0.12.3

@delta1
Copy link
Contributor

delta1 commented Mar 2, 2021

Thanks @mbrubeck will give that a shot

@delta1 delta1 mentioned this issue Mar 2, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@mbrubeck @delta1 @stringhandler and others