If your @rustlang code uses std::mem::uninitialized() and can panic while referencing uninitialized memory, it's a potential security vulnerability:https://twitter.com/RustSec/status/1151587254990602240 …
-
-
• Very Low: No known vulnerable code, code exec does not seem possible • Low: No known vulnerable code but RCE thereoretically possible OR only DoS possible in the wild • Medium and above: Known vulnerable code, RCE at least theoretically possible
-
“Uninitialized” often means “previously initialized, possibly by someone bad”. I wouldn’t dismiss this bug as inexploitable.
- 9 more replies
New conversation -
-
-
This was probably the most debatable advisory we've included to-date and there was a decent amount of debate about whether or not to include it. We decided to err on the side of caution, as at 11 total advisories this year we're not quite at the point of alert fatigue.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.