GHSA-rcx8-48pc-v9q8: mail-internals use-after-free vulnerability in `vec_insert_bytes`

August 24, 2023

Incorrect reallocation logic in the function vec_insert_bytes causes a use-after-free.

This function does not have to be called directly to trigger the vulnerability because many methods on EncodingWriter call this function internally.

The mail-* suite is unmaintained and the upstream sources have been actively vandalised. A fixed mail-internals-ng (and mail-headers-ng and mail-core-ng) crate has been published which fixes this, and a dependency on another unsound crate.

References

github.com/advisories/GHSA-rcx8-48pc-v9q8
github.com/rustsec/advisory-db/blob/main/crates/mail-internals/RUSTSEC-2023-0054.md
rustsec.org/advisories/RUSTSEC-2023-0054.html

Detect and mitigate GHSA-rcx8-48pc-v9q8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →