CVE-2020-36452: Memory corruption in array-tools

August 25, 2021

An issue was discovered in the array-tools crate before 0.3.2 for Rust. Affected versions of this crate don’t guard against panics, so that partially uninitialized buffer is dropped when user-provided T::clone() panics in FixedCapacityDequeLike<T, A>::clone(). This causes memory corruption.

References

github.com/L117/array-tools
github.com/L117/array-tools/issues/2
github.com/advisories/GHSA-6wp2-fw3v-mfmc
nvd.nist.gov/vuln/detail/CVE-2020-36452
raw.githubusercontent.com/rustsec/advisory-db/main/crates/array-tools/RUSTSEC-2020-0132.md
rustsec.org/advisories/RUSTSEC-2020-0132.html

Detect and mitigate CVE-2020-36452 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →