Skip to content

Commit

Permalink
Update gh-pages
Browse files Browse the repository at this point in the history
  • Loading branch information
github-actions committed Jan 29, 2025
1 parent da6e2cb commit d315a41
Show file tree
Hide file tree
Showing 9 changed files with 874 additions and 267 deletions.
200 changes: 200 additions & 0 deletions advisories/RUSTSEC-2025-0002.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,200 @@
<!DOCTYPE html>

<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta charset="utf-8">

<meta name="author" content="Rust Project Developers">
<meta name="description" content="Security advisory database for Rust crates published through https://crates.io">
<title>RUSTSEC-2025-0002: fast-float2: Segmentation fault due to lack of bound check › RustSec Advisory Database</title>

<link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,300italic,400italic" rel="stylesheet">
<link href="/css/basic.css" rel="stylesheet">
<link href="/css/highlight.css" rel="stylesheet">
<link href="/css/index.css" rel="stylesheet">

<script src="/js/index.js" defer></script>
<script src="/js/search.js" defer></script>

<header>
<div class="header-top">
<h1><a href="/"><img class="logo-image" src="/img/rustsec-logo.svg" /></a></h1>

<div class="search">
<form onsubmit="return searchform();">
<input type="search" id="search-term"
placeholder="Look up package or ID..." required
size="20">
</form>
</div>

</div>
<nav>
<div>
<a href="/">About</a>
<a href="/advisories/">Advisories</a>
<a href="/contributing.html">Report Vulnerabilities</a>
</div>
<div>
<a href="https://rust-lang.zulipchat.com/login/#narrow/stream/146229-wg-secure-code/" title="Zulip" aria-label="Zulip"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" style="height:1em;fill:currentColor"><path d="M473.09 122.97c0 22.69-10.19 42.85-25.72 55.08L296.61 312.69c-2.8 2.4-6.44-1.47-4.42-4.7l55.3-110.72c1.55-3.1-.46-6.91-3.64-6.91H129.36c-33.22 0-60.4-30.32-60.4-67.37 0-37.06 27.18-67.37 60.4-67.37h283.33c33.22-.02 60.4 30.3 60.4 67.35zM129.36 506.05h283.33c33.22 0 60.4-30.32 60.4-67.37 0-37.06-27.18-67.37-60.4-67.37H198.2c-3.18 0-5.19-3.81-3.64-6.91l55.3-110.72c2.02-3.23-1.62-7.1-4.42-4.7L94.68 383.6c-15.53 12.22-25.72 32.39-25.72 55.08 0 37.05 27.18 67.37 60.4 67.37zm522.5-124.15l124.78-179.6v-1.56H663.52v-48.98h190.09v34.21L731.55 363.24v1.56h124.01v48.98h-203.7V381.9zm338.98-230.14V302.6c0 45.09 17.1 68.03 47.43 68.03 31.1 0 48.2-21.77 48.2-68.03V151.76h59.09V298.7c0 80.86-40.82 119.34-109.24 119.34-66.09 0-104.96-36.54-104.96-120.12V151.76h59.48zm244.91 0h59.48v212.25h104.18v49.76h-163.66V151.76zm297 0v262.01h-59.48V151.76h59.48zm90.18 3.5c18.27-3.11 43.93-5.44 80.08-5.44 36.54 0 62.59 7 80.08 20.99 16.72 13.22 27.99 34.99 27.99 60.64 0 25.66-8.55 47.43-24.1 62.2-20.21 19.05-50.15 27.6-85.13 27.6-7.77 0-14.77-.39-20.21-1.17v93.69h-58.7V155.26zm58.7 118.96c5.05 1.17 11.27 1.55 19.83 1.55 31.49 0 50.92-15.94 50.92-42.76 0-24.1-16.72-38.49-46.26-38.49-12.05 0-20.21 1.17-24.49 2.33v77.37z"/></svg></a>
<a href="https://twitter.com/RustSec/" title="Twitter" aria-label="Twitter"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" style="height:1em;fill:currentColor"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg></a>
<a href="https://github.com/RustSec/" title="GitHub" aria-label="GitHub"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512" style="height:1em;fill:currentColor"><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg></a>
<a href="/feed.xml" title="Atom Feed" aria-label="Atom Feed"><svg xmlns="http://www.w3.org/2000/svg" style="height:1em" viewBox="0 0 8 8">
<style type="text/css">
.button {stroke: none; fill: currentColor;}
.symbol {stroke: none; fill-opacity=0;}
</style>
<rect class="button" width="8" height="8" rx="1.5" />
<circle class="symbol" cx="2" cy="6" r="1" />
<path class="symbol" d="m 1,4 a 3,3 0 0 1 3,3 h 1 a 4,4 0 0 0 -4,-4 z" />
<path class="symbol" d="m 1,2 a 5,5 0 0 1 5,5 h 1 a 6,6 0 0 0 -6,-6 z" />
</svg></a>
</div>
</nav>
</header>

<main class="advisory">
<article>

<span class="floating-menu">
<a href="https://github.com/RustSec/advisory-db/commits/main/crates/fast-float2/RUSTSEC-2025-0002.md">History</a>
<a href="https://github.com/RustSec/advisory-db/edit/main/crates/fast-float2/RUSTSEC-2025-0002.md">Edit</a>
<a href="https://api.osv.dev/v1/vulns/RUSTSEC-2025-0002">JSON (OSV)</a>
</span>


<header>
<h1>

RUSTSEC-2025-0002

</h1>
<span class="subtitle"><p>Segmentation fault due to lack of bound check</p>
</span>
</header>



<dl>
<dt id="reported">Reported</dt>
<dd>
<time datetime="2025-01-13">
January 13, 2025
</time>
</dd>

<dt id="issued">Issued</dt>
<dd>
<time datetime="2025-01-29">
January 29, 2025
</time>

</dd>

<dt id="package">Package</dt>
<dd>


<a href="/packages/fast-float2.html">fast-float2</a>
(<a href="https://crates.io/crates/fast-float2">crates.io</a>)


</dd>

<dt id="type">Type</dt>
<dd>

Vulnerability

</dd>


<dt id="categories">Categories</dt>
<dd>
<ul>

<li><a href="/categories/memory-exposure.html">memory-exposure</a></li>

</ul>
</dd>







<dt id="details">References</dt>
<dd>
<ul>

<li>
<a href="https://github.com/aldanor/fast-float-rust/issues/38">
https://github.com/aldanor/fast-float-rust/issues/38
</a>
</li>


</ul>
</dd>







<dt id="patched">Patched</dt>
<dd>

<ul>

<li><code>&gt;=0.2.2</code></li>

</ul>

</dd>








</dl>



<dl>
<dt>Affected Functions</dt>
<dd>Version</dd>

<dt><code>fast_float2::common::AsciiStr::first</code></dt>
<dd>
<ul>

<li><code>&lt;0.2.2</code></li>

</ul>
</dd>

</dl>




<h3 id="description">Description</h3>
<p>In this case, the &quot;fast_float2::common::AsciiStr::first&quot; method within the &quot;AsciiStr&quot; struct
uses the unsafe keyword to reading from memory without performing bounds checking.
Specifically, it directly dereferences a pointer offset by &quot;self.ptr&quot;.
Because of the above reason, the method accesses invalid memory address when it takes an empty string as its input.
This approach violates Rust’s memory safety guarantees, as it can lead to invalid memory access if empty buffer is provided.</p>


<p id="license" class="license">Advisory available under <a href="https://spdx.org/licenses/CC0-1.0.html">CC0-1.0</a>
license.


</p>
</article>
</main>
197 changes: 197 additions & 0 deletions advisories/RUSTSEC-2025-0003.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,197 @@
<!DOCTYPE html>

<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta charset="utf-8">

<meta name="author" content="Rust Project Developers">
<meta name="description" content="Security advisory database for Rust crates published through https://crates.io">
<title>RUSTSEC-2025-0003: fast-float: Segmentation fault due to lack of bound check › RustSec Advisory Database</title>

<link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,300italic,400italic" rel="stylesheet">
<link href="/css/basic.css" rel="stylesheet">
<link href="/css/highlight.css" rel="stylesheet">
<link href="/css/index.css" rel="stylesheet">

<script src="/js/index.js" defer></script>
<script src="/js/search.js" defer></script>

<header>
<div class="header-top">
<h1><a href="/"><img class="logo-image" src="/img/rustsec-logo.svg" /></a></h1>

<div class="search">
<form onsubmit="return searchform();">
<input type="search" id="search-term"
placeholder="Look up package or ID..." required
size="20">
</form>
</div>

</div>
<nav>
<div>
<a href="/">About</a>
<a href="/advisories/">Advisories</a>
<a href="/contributing.html">Report Vulnerabilities</a>
</div>
<div>
<a href="https://rust-lang.zulipchat.com/login/#narrow/stream/146229-wg-secure-code/" title="Zulip" aria-label="Zulip"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" style="height:1em;fill:currentColor"><path d="M473.09 122.97c0 22.69-10.19 42.85-25.72 55.08L296.61 312.69c-2.8 2.4-6.44-1.47-4.42-4.7l55.3-110.72c1.55-3.1-.46-6.91-3.64-6.91H129.36c-33.22 0-60.4-30.32-60.4-67.37 0-37.06 27.18-67.37 60.4-67.37h283.33c33.22-.02 60.4 30.3 60.4 67.35zM129.36 506.05h283.33c33.22 0 60.4-30.32 60.4-67.37 0-37.06-27.18-67.37-60.4-67.37H198.2c-3.18 0-5.19-3.81-3.64-6.91l55.3-110.72c2.02-3.23-1.62-7.1-4.42-4.7L94.68 383.6c-15.53 12.22-25.72 32.39-25.72 55.08 0 37.05 27.18 67.37 60.4 67.37zm522.5-124.15l124.78-179.6v-1.56H663.52v-48.98h190.09v34.21L731.55 363.24v1.56h124.01v48.98h-203.7V381.9zm338.98-230.14V302.6c0 45.09 17.1 68.03 47.43 68.03 31.1 0 48.2-21.77 48.2-68.03V151.76h59.09V298.7c0 80.86-40.82 119.34-109.24 119.34-66.09 0-104.96-36.54-104.96-120.12V151.76h59.48zm244.91 0h59.48v212.25h104.18v49.76h-163.66V151.76zm297 0v262.01h-59.48V151.76h59.48zm90.18 3.5c18.27-3.11 43.93-5.44 80.08-5.44 36.54 0 62.59 7 80.08 20.99 16.72 13.22 27.99 34.99 27.99 60.64 0 25.66-8.55 47.43-24.1 62.2-20.21 19.05-50.15 27.6-85.13 27.6-7.77 0-14.77-.39-20.21-1.17v93.69h-58.7V155.26zm58.7 118.96c5.05 1.17 11.27 1.55 19.83 1.55 31.49 0 50.92-15.94 50.92-42.76 0-24.1-16.72-38.49-46.26-38.49-12.05 0-20.21 1.17-24.49 2.33v77.37z"/></svg></a>
<a href="https://twitter.com/RustSec/" title="Twitter" aria-label="Twitter"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" style="height:1em;fill:currentColor"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg></a>
<a href="https://github.com/RustSec/" title="GitHub" aria-label="GitHub"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512" style="height:1em;fill:currentColor"><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg></a>
<a href="/feed.xml" title="Atom Feed" aria-label="Atom Feed"><svg xmlns="http://www.w3.org/2000/svg" style="height:1em" viewBox="0 0 8 8">
<style type="text/css">
.button {stroke: none; fill: currentColor;}
.symbol {stroke: none; fill-opacity=0;}
</style>
<rect class="button" width="8" height="8" rx="1.5" />
<circle class="symbol" cx="2" cy="6" r="1" />
<path class="symbol" d="m 1,4 a 3,3 0 0 1 3,3 h 1 a 4,4 0 0 0 -4,-4 z" />
<path class="symbol" d="m 1,2 a 5,5 0 0 1 5,5 h 1 a 6,6 0 0 0 -6,-6 z" />
</svg></a>
</div>
</nav>
</header>

<main class="advisory">
<article>

<span class="floating-menu">
<a href="https://github.com/RustSec/advisory-db/commits/main/crates/fast-float/RUSTSEC-2025-0003.md">History</a>
<a href="https://github.com/RustSec/advisory-db/edit/main/crates/fast-float/RUSTSEC-2025-0003.md">Edit</a>
<a href="https://api.osv.dev/v1/vulns/RUSTSEC-2025-0003">JSON (OSV)</a>
</span>


<header>
<h1>

RUSTSEC-2025-0003

</h1>
<span class="subtitle"><p>Segmentation fault due to lack of bound check</p>
</span>
</header>



<dl>
<dt id="reported">Reported</dt>
<dd>
<time datetime="2025-01-13">
January 13, 2025
</time>
</dd>

<dt id="issued">Issued</dt>
<dd>
<time datetime="2025-01-29">
January 29, 2025
</time>

</dd>

<dt id="package">Package</dt>
<dd>


<a href="/packages/fast-float.html">fast-float</a>
(<a href="https://crates.io/crates/fast-float">crates.io</a>)


</dd>

<dt id="type">Type</dt>
<dd>

Vulnerability

</dd>


<dt id="categories">Categories</dt>
<dd>
<ul>

<li><a href="/categories/memory-exposure.html">memory-exposure</a></li>

</ul>
</dd>







<dt id="details">References</dt>
<dd>
<ul>

<li>
<a href="https://github.com/aldanor/fast-float-rust/issues/38">
https://github.com/aldanor/fast-float-rust/issues/38
</a>
</li>


</ul>
</dd>







<dt id="patched">Patched</dt>
<dd>

no patched versions

</dd>








</dl>



<dl>
<dt>Affected Functions</dt>
<dd>Version</dd>

<dt><code>fast_float::common::AsciiStr::first</code></dt>
<dd>
<ul>

<li><code>*</code></li>

</ul>
</dd>

</dl>




<h3 id="description">Description</h3>
<p>In this case, the &quot;fast_float::common::AsciiStr::first&quot; method within the &quot;AsciiStr&quot; struct
uses the unsafe keyword to reading from memory without performing bounds checking.
Specifically, it directly dereferences a pointer offset by &quot;self.ptr&quot;.
Because of the above reason, the method accesses invalid memory address when it takes an empty string as its input.
This approach violates Rust’s memory safety guarantees, as it can lead to invalid memory access if empty buffer is provided.</p>
<p>No patched version for fast-float crate has been released, but a patch is available in the fast-float2 fork.</p>


<p id="license" class="license">Advisory available under <a href="https://spdx.org/licenses/CC0-1.0.html">CC0-1.0</a>
license.


</p>
</article>
</main>
Loading

0 comments on commit d315a41

Please sign in to comment.