#1061577 rust-io: RUSTSEC-2020-0021: CVE-2020-35876: use-after-free buffer access when a future is leaked

Package:
src:rust-rio
Source:
src:rust-rio
Submitter:
Alexander Kjäll
Date:
2024-01-27 08:42:03 UTC
Severity:
normal
Tags:
#1061577#5
Date:
2024-01-26 19:03:23 UTC
From:
To:
Dear Maintainer,

https://rustsec.org/advisories/RUSTSEC-2020-0021.html

Description

When a rio::Completion is leaked, its drop code will not run.
The drop code is responsible for waiting until the kernel
completes the I/O operation into, or out of, the buffer
borrowed by rio::Completion. Leaking the struct will allow one
to access and/or drop the buffer, which can lead to a
use-after-free, data races or leaking secrets.