GHSA-2326-pfpj-vx3h: lexical-core has multiple soundness issues
RUSTSEC-2024-0377 contains multiple soundness issues:
- Bytes::read() allows creating instances of types with invalid bit patterns
- BytesIter::read() advances iterators out of bounds
- The
BytesItertrait has safety invariants but is public and not markedunsafe write_float()callsMaybeUninit::assume_init()on uninitialized data, which is is not allowed by the Rust abstract machineradix()callsMaybeUninit::assume_init()on uninitialized data, which is is not allowed by the Rust abstract machine
Version 1.0 fixes these issues, removes the vast majority of unsafe code, and also fixes some correctness issues.
References
- github.com/Alexhuszagh/rust-lexical
- github.com/Alexhuszagh/rust-lexical/issues/101
- github.com/Alexhuszagh/rust-lexical/issues/102
- github.com/Alexhuszagh/rust-lexical/issues/104
- github.com/Alexhuszagh/rust-lexical/issues/126
- github.com/Alexhuszagh/rust-lexical/issues/95
- github.com/advisories/GHSA-2326-pfpj-vx3h
- github.com/advisories/GHSA-c2hm-mjxv-89r4
- rustsec.org/advisories/RUSTSEC-2023-0055
- rustsec.org/advisories/RUSTSEC-2023-0086.html
Detect and mitigate GHSA-2326-pfpj-vx3h with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →