GHSA-2rxc-gjrp-vjhx: Unsoundness in anstream

December 4, 2024

When given a valid UTF8 string “ö\x1b😀”, the function in crates/anstream/src/adapter/strip.rs will be confused. The UTF8 bytes are \xc3\xb6 then \x1b then \xf0\x9f\x98\x80.

When looping over “non-printable bytes” \x1b\xf0 will be considered as some non-printable sequence.

This will produce a broken str from the incorrectly segmented bytes via str::from_utf8_unchecked, and that should never happen.

Full credit goes to @Ralith who reviewed this code and asked @burakemir to follow up.

References

github.com/advisories/GHSA-2rxc-gjrp-vjhx
github.com/rust-cli/anstyle
github.com/rust-cli/anstyle/issues/156
rustsec.org/advisories/RUSTSEC-2024-0404.html

Detect and mitigate GHSA-2rxc-gjrp-vjhx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →