GHSA-ghc8-5cgm-5rpf: Inventory fails to prohibit standard library access prior to initialization of Rust standard library runtime

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-ghc8-5cgm-5rpf

Inventory fails to prohibit standard library access prior to initialization of Rust standard library runtime

Moderate severity GitHub Reviewed Published Sep 11, 2023 to the GitHub Advisory Database • Updated Sep 11, 2023

Package

cargo inventory (Rust)

Affected versions

< 0.2.0

Description

Affected versions allow arbitrary caller-provided code to execute before the lifetime of main.

If the caller-provided code accesses particular pieces of the standard library that require an initialized Rust runtime, such as std::io or std::thread, these may not behave as documented. Panics are likely; UB is possible.

The flaw was corrected by enforcing that only code written within the inventory crate, which is guaranteed not to access runtime-dependent parts of the standard library, runs before main. Caller-provided code is restricted to running at compile time.

References

• dtolnay/inventory#43
• dtolnay/inventory@b853350
• https://rustsec.org/advisories/RUSTSEC-2023-0057.html

Published to the GitHub Advisory Database

Sep 11, 2023

Last updated

Sep 11, 2023