From 362497af88fdbfb62c2cc48513d9576c59c60fe2 Mon Sep 17 00:00:00 2001 From: 5225225 <5225225@mailbox.org> Date: Wed, 16 Feb 2022 19:30:20 +0000 Subject: [PATCH] Add advisory for `temporary` --- crates/temporary/RUSTSEC-0000-0000.md | 32 +++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 crates/temporary/RUSTSEC-0000-0000.md diff --git a/crates/temporary/RUSTSEC-0000-0000.md b/crates/temporary/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..e0011208c --- /dev/null +++ b/crates/temporary/RUSTSEC-0000-0000.md @@ -0,0 +1,32 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "temporary" +date = "2018-08-22" +url = "https://github.com/stainless-steel/temporary/issues/2" +categories = ["memory-exposure"] +keywords = ["uninitialized-memory"] + +[versions] +patched = [">= 0.6.4"] +unaffected = ["< 0.3.0"] +``` + +# Use of uninitialized memory in temporary + +Uninit memory is used as a RNG seed in temporary + +The following function is used as a way to get entropy from the system, which does operations on and exposes uninit memory, which is UB. + +```rust +fn random_seed(_: &Path, _: &str) -> [u64; 2] { + use std::mem::uninitialized as rand; + unsafe { [rand::() ^ 0x12345678, rand::() ^ 0x87654321] } +} +``` + +This has been resolved in the 0.6.4 release. + +The crate is not intended to be used outside of a testing environment. + +For a general purpose crate to create temporary directories, [`tempfile`](https://crates.io/crates/tempfile) is an alternative for this crate.