GHSA-2wq5-g96f-mv3v: Ouch! allows a segmentation fault due to use of uninitialized memory

September 23, 2024

When trying to decompress a file using “ouch”, we can reach the function “ouch::archive::zip::convert_zip_date_time”. In the function, there is a unsafe function, “transmute”. Once the “transmute” function is called to convert the type of “month” object, the address of the object is changed to the uninitialized memory region. After that, when other function tries to dereference “month”, segmentation fault occurs.

References

github.com/advisories/GHSA-2wq5-g96f-mv3v
github.com/ouch-org/ouch
github.com/ouch-org/ouch/issues/707
rustsec.org/advisories/RUSTSEC-2024-0374.html

Code Behaviors & Features

Detect and mitigate GHSA-2wq5-g96f-mv3v with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →