CVE-2020-35865: os_str_bytes relies on undefined behavior of `char::from_u32_unchecked`

August 25, 2021 (updated June 13, 2023)

The Windows implementation of this crate relied on the behavior of std::char::from_u32_unchecked when its safety clause is violated. Even though this worked with Rust versions up to 1.42 (at least), that behavior could change with any new Rust version, possibly leading a security issue.

The flaw was corrected in version 2.0.0.

References

github.com/advisories/GHSA-q948-x8rf-888m
github.com/dylni/os_str_bytes
github.com/dylni/os_str_bytes/pull/1
nvd.nist.gov/vuln/detail/CVE-2020-35865
rustsec.org/advisories/RUSTSEC-2020-0012.html

Detect and mitigate CVE-2020-35865 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →