GHSA-v363-rrf2-5fmj: ferris-says has undefined behavior when not using UTF-8

January 17, 2024

Affected versions receive a &[u8] from the caller through a safe API, and pass it directly to the unsafe str::from_utf8_unchecked function.

The behavior of ferris_says::say is undefined if the bytes from the caller don’t happen to be valid UTF-8.

The flaw was corrected in ferris-says#21 by using the safe str::from_utf8 instead, and returning an error on invalid input. However this fix has not yet been published to crates.io as a patch version for 0.2.

Separately, ferris-says#32 has introduced a different API for version 0.3 which accepts input as &str rather than &[u8], so is unaffected by this bug.

References

github.com/advisories/GHSA-v363-rrf2-5fmj
github.com/mgattozzi/ferris-says
github.com/rust-lang/ferris-says/commit/bb661f29e0d88968c495a4ea4dc63ff0e2c2c11a
github.com/rust-lang/ferris-says/pull/21
rustsec.org/advisories/RUSTSEC-2024-0001.html

Detect and mitigate GHSA-v363-rrf2-5fmj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →