GHSA-v363-rrf2-5fmj: ferris-says has undefined behavior when not using UTF-8

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-v363-rrf2-5fmj

ferris-says has undefined behavior when not using UTF-8

Low severity GitHub Reviewed Published Jan 17, 2024 to the GitHub Advisory Database • Updated Jan 17, 2024

Package

cargo ferris-says (Rust)

Affected versions

>= 0.1.2, <= 0.2.1

>= 0.3.0, < 0.3.1

Description

Affected versions receive a &[u8] from the caller through a safe API, and pass it directly to the unsafe str::from_utf8_unchecked function.

The behavior of ferris_says::say is undefined if the bytes from the caller don’t happen to be valid UTF-8.

The flaw was corrected in ferris-says#21 by using the safe str::from_utf8 instead, and returning an error on invalid input. However this fix has not yet been published to crates.io as a patch version for 0.2.

Separately, ferris-says#32 has introduced a different API for version 0.3 which accepts input as &str rather than &[u8], so is unaffected by this bug.

References

• rust-lang/ferris-says#21
• rust-lang/ferris-says@bb661f2
• https://rustsec.org/advisories/RUSTSEC-2024-0001.html

Published to the GitHub Advisory Database

Jan 17, 2024

Last updated

Jan 17, 2024