GHSA-pqpw-89w5-82v5: `simd-json-derive` vulnerable to `MaybeUninit` misuse

November 12, 2024

An invalid use of MaybeUninit::uninit().assume_init() in simd-json-derive’s derive macro can cause undefined behavior. The original code used MaybeUninit to avoid initialisation of the struct and then set the fields using ptr::write. The undefined behavior triggered by this misuse of MaybeUninit can lead to invlaid memory access and panics in binaries compiled in release mode (aka simd-json-derive prior to version 0.12 has UB and optimizes into some nonsense)

The version 0.12.0 removes this section of code, avoiding the use of MaybeUninit alltogether.

References

github.com/advisories/GHSA-pqpw-89w5-82v5
github.com/simd-lite/simd-json-derive
github.com/simd-lite/simd-json-derive/issues/67
rustsec.org/advisories/RUSTSEC-2023-0087.html

Detect and mitigate GHSA-pqpw-89w5-82v5 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →