CVE-2019-25009

CRITICAL9.8EPSS 0.60%

HeaderMap::Drain API is unsound

發布日:2021/8/25修改日:2023/11/8

也稱為:GHSA-6rhx-hqxm-8p36CGA-4cm4-pxm6-x3mpDEBIAN-CVE-2019-25009RUSTSEC-2019-0034

描述

Affected versions of this crate incorrectly used raw pointer, which introduced unsoundness in its public safe API. [Failing to drop the Drain struct causes double-free](https://github.com/hyperium/http/issues/354), and [it is possible to violate Rust's alias rule and cause data race with Drain's Iterator implementation](https://github.com/hyperium/http/issues/355). The flaw was corrected in 0.1.20 release of `http` crate.

受影響套件(3)

crates.io/httpfrom 0, < 0.1.20
crates.io/http>= 0.0.0-0, < 0.1.20
Debian/rust-httpfrom 0, < 0.1.21-0.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-25009
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-25009
PATCHhttps://crates.io/crates/http
WEBhttps://rustsec.org/advisories/RUSTSEC-2019-0034.html