GHSA-f9g6-fp84-fv92: impl `FromMdbValue` for bool is unsound

July 19, 2023

The implementation of FromMdbValue has several unsoundness issues. First of all, it allows to reinterpret arbitrary bytes as a bool and could make undefined behavior happen with safe function. Secondly, it allows transmuting pointer without taking memory layout into consideration. The details of reproducing the bug are available here.

References

github.com/advisories/GHSA-f9g6-fp84-fv92
github.com/vhbit/lmdb-rs
github.com/vhbit/lmdb-rs/issues/67
rustsec.org/advisories/RUSTSEC-2023-0047.html

Detect and mitigate GHSA-f9g6-fp84-fv92 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →