Advisories for Cargo/Slice-Deque package

The crate slice-ring-buffer was developed as a fork of slice-deque to continue maintenance and provide security patches, since the latter has been officially unmaintained (RUSTSEC-2020-0158). While slice-ring-buffer has addressed some previously reported memory safety issues inherited from its fork origin (RUSTSEC-2021-0047), it still retains multiple unresolved memory corruption vulnerabilities. Specifically, we have discovered four new memory safety bugs, each resulting in double-free violations that can occur when only safe APIs …

Affected versions of this crate entered a corrupted state if mem::size_of::() % allocation_granularity() != 0 and a specific allocation pattern was used: sufficiently shifting the deque elements over the mirrored page boundary. This allows an attacker that controls controls both element insertion and removal to corrupt the deque, such that reading elements from it would read bytes corresponding to other elements in the deque. (e.g. a read of T could …

Affected versions of this crate did not properly update the head and tail of the deque when inserting and removing elements from the front if, before insertion or removal, the tail of the deque was in the mirrored memory region, and if, after insertion or removal, the head of the deque is exactly at the beginning of the mirrored memory region. An attacker that controls both element insertion and removal …

An issue was discovered in the slice-deque crate through 2021-02-19 for Rust. A double drop can occur in SliceDeque::drain_filter upon a panic in a predicate function.