You are viewing a plain text version of this content. The canonical link for it is here.

Posted to github@arrow.apache.org by GitBox <gi...@apache.org> on 2021/06/21 01:14:59 UTC

[GitHub] [arrow-rs] BohuTANG opened a new issue #476: Security Vulnerabilities: flatbuffers: `read_scalar` and `read_scalar_at` allow transmuting values without `unsafe` blocks

BohuTANG opened a new issue #476:
URL: https://github.com/apache/arrow-rs/issues/476


   **Describe the bug**
   
   https://deps.rs/repo/github/apache/arrow-rs#vulnerabilities
   
   flatbuffers: `read_scalar` and `read_scalar_at` allow transmuting values without `unsafe` blocks
   RUSTSEC-2020-0009
   
   The read_scalar and read_scalar_at functions are unsound because they allow transmuting values without unsafe blocks.
   
   The following example shows how to create a dangling reference:
   ```
   fn main() {
       #[derive(Copy, Clone, PartialEq, Debug)]
       struct S(&'static str);
       impl flatbuffers::EndianScalar for S {
           fn to_little_endian(self) -> Self { self }
           fn from_little_endian(self) -> Self { self }
       }
       println!("{:?}", flatbuffers::read_scalar::<S>(&[1; std::mem::size_of::<S>()]));
   }
   ```
   
   **To Reproduce**
   
   https://deps.rs/repo/github/apache/arrow-rs#vulnerabilities
   
   **Expected behavior**
   A clear and concise description of what you expected to happen.
   
   **Additional context**
   See [advisory page](https://rustsec.org/advisories/RUSTSEC-2020-0009.html) for additional details.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow-rs] jorgecarleitao closed issue #476: Security Vulnerabilities: flatbuffers: `read_scalar` and `read_scalar_at` allow transmuting values without `unsafe` blocks

Posted by GitBox <gi...@apache.org>.

jorgecarleitao closed issue #476:
URL: https://github.com/apache/arrow-rs/issues/476


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org