GHSA-66fw-43h8-f8p3: XMP Toolkit's `XmpFile::close` can trigger undefined behavior
Affected versions of the crate failed to catch C++ exceptions raised within the XmpFile::close function. If such an exception occured, it would trigger undefined behavior, typically a process abort.
This is best demonstrated in issue #230, where a race condition causes the close call to fail due to file I/O errors.
This was fixed in PR #232 (released as crate version 1.9.0), which now safely handles the exception.
For backward compatibility, the existing API ignores the error. A new API XmpFile::try_close was added to allow callers to receive and process the error result.
Users of all prior versions of xmp_toolkit are encouraged to update to version 1.9.0 to avoid undefined behavior.
References
Code Behaviors & Features
Detect and mitigate GHSA-66fw-43h8-f8p3 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →