CVE-2020-25016: Out of bounds access in rgb

August 25, 2021 (updated June 13, 2023)

Affected versions of rgb crate allow viewing and modifying data of any type T wrapped in RGB as bytes, and do not correctly constrain RGB and other wrapper structures to the types for which it is safe to do so.

Safety violation possible for a type wrapped in RGB and similar wrapper structures:

If T contains padding, viewing it as bytes may lead to exposure of contents of uninitialized memory.
If T contains a pointer, modifying it as bytes may lead to dereferencing of arbitrary pointers.
Any safety and/or validity invariants for T may be violated.

The issue was resolved by requiring all types wrapped in structures provided by RGB crate to implement an unsafe marker trait.

References

Detect and mitigate CVE-2020-25016 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →