CVE-2021-28030: Use of Uninitialized Resource in truetype

August 25, 2021

An issue was discovered in the truetype crate before 0.30.1 for Rust. Attackers can read the contents of uninitialized memory locations via a user-provided Read operation within Tape::take_bytes.

References

github.com/advisories/GHSA-v7q4-97x4-4qw2
github.com/bodoni/truetype
github.com/bodoni/truetype/issues/11
nvd.nist.gov/vuln/detail/CVE-2021-28030
rustsec.org/advisories/RUSTSEC-2021-0029.html

Detect and mitigate CVE-2021-28030 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →