GHSA-g753-ghr7-q33w: cyfs-base vulnerable to misaligned pointer dereference in `ChunkId::new`

June 22, 2023

The function ChunkId::new creates a misaligned pointer by casting mutable pointer of u8 slice which has alignment 1 to the mutable pointer of u32 which has alignment 4, and dereference the misaligned pointer leading UB, which should not be allowed in safe function.

References

github.com/advisories/GHSA-g753-ghr7-q33w
github.com/buckyos/CYFS
github.com/buckyos/CYFS/commit/e030188895096fd8d91d48753877729f4d37dd24
github.com/buckyos/CYFS/issues/275
rustsec.org/advisories/RUSTSEC-2023-0046.html

Detect and mitigate GHSA-g753-ghr7-q33w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →