CVE-2018-25027
HIGH7.5EPSS 0.41%Use-after-free with objects returned by `Stream`'s `get_format_info` and `get_context` methods
Published: 8/25/2021Modified: 11/8/2023
Description
Affected versions contained a pair of use-after-free issues with the objects returned by the `get_format_info` and `get_context` methods of `Stream` objects. These objects were mistakenly being constructed without setting an important flag to prevent destruction of the underlying C objects they reference upon their own destruction.
Affected packages (4)
- crates.io/libpulse-bindingfrom 0, < 1.2.1
- crates.io/libpulse-bindingfrom 0, < 1.2.1
- crates.io/libpulse-bindingfrom 0, < 1.2.1
- crates.io/libpulse-binding>= 0.0.0-0, < 1.2.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-25027
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-25028
- PATCHhttps://crates.io/crates/libpulse-binding
- PATCHhttps://github.com/jnqnfe/pulse-binding-rust
- WEBhttps://github.com/jnqnfe/pulse-binding-rust/security/advisories/GHSA-ghpq-vjxw-ch5w
- WEBhttps://raw.githubusercontent.com/rustsec/advisory-db/main/crates/libpulse-binding/RUSTSEC-2018-0021.md
- WEBhttps://rustsec.org/advisories/RUSTSEC-2018-0021.html