From 7b3eed6924e5aff2da1edb1fea3cef297e8933a9 Mon Sep 17 00:00:00 2001 From: Jorge Leitao Date: Fri, 4 Mar 2022 19:08:01 +0100 Subject: [PATCH] Added advisory for `arrow2::ffi::Ffi_ArrowArray` double free (#1204) * Added advisory for Arrow2 FFI_ArrowArray * add "memory-corruption" category * Fix version Co-authored-by: Sergey "Shnatsel" Davidoff --- crates/arrow2/RUSTSEC-0000-0000.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 crates/arrow2/RUSTSEC-0000-0000.md diff --git a/crates/arrow2/RUSTSEC-0000-0000.md b/crates/arrow2/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..1330bd4a1 --- /dev/null +++ b/crates/arrow2/RUSTSEC-0000-0000.md @@ -0,0 +1,24 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "arrow2" +date = "2022-03-04" +url = "https://github.com/jorgecarleitao/arrow2/issues/880" +categories = ["memory-corruption"] + +[versions] +patched = [">= 0.7.1, < 0.8", ">= 0.8.2, < 0.9", ">= 0.9.2, < 0.10"] +``` + +# Arrow2 allows double free in `safe` code + +The struct `Ffi_ArrowArray` implements `#derive(Clone)` that is inconsistent with +its custom implementation of `Drop`, resulting in a double free when cloned. + +Cloning this struct in `safe` results in a segmentation fault, which is unsound. + +This derive was removed from this struct. All users are advised to either: +* bump the patch version of this crate (for versions `v0.7,v0.8,v0.9`), or +* migrate to a more recent version of the crate (when using `<0.7`). + +Doing so elimitates this vulnerability (code no longer compiles).