CVE-2020-36432: Use of Uninitialized Resource in alg_ds

August 25, 2021

An issue was discovered in the alg_ds crate through 2020-08-25 for Rust. Matrix::new() internally calls Matrix::fill_with() which uses *ptr = value pattern to initialize the buffer. This pattern assumes that there is an initialized struct at the address and drops it, which results in dropping of uninitialized struct.

References

github.com/advisories/GHSA-3vv3-frrq-6486
gitlab.com/dvshapkin/alg-ds
gitlab.com/dvshapkin/alg-ds/-/issues/1
nvd.nist.gov/vuln/detail/CVE-2020-36432
rustsec.org/advisories/RUSTSEC-2020-0033.html

Detect and mitigate CVE-2020-36432 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →