RUSTSEC-2021-0046
on 2021-02-17: misc::vec_with_size() can drop uninitialized memory if clone panics
This crate has no reviews yet. To add a review, set up your cargo-crev
.
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.
To review the actual code of the crate, it's best to use cargo crev open telemetry
. Alternatively, you can download the tarball of telemetry v0.1.3 or view the source online.
misc::vec_with_size
creates a vector of the providedsize
and immediately callsvec.set_len(size)
on it, initially filling it with uninitialized memory. It then inserts elements usingvec[i] = value.clone()
.If the
value.clone()
call panics, uninitialized items in the vector will be dropped leading to undefined behavior.CVE-2021-29937
GHSA-hpcx-3pw8-g3j2