Skip to content

Use after free in libpulse-binding

High severity GitHub Reviewed Published Oct 22, 2020 in jnqnfe/pulse-binding-rust • Updated Jan 11, 2023

Package

cargo libpulse-binding (Rust)

Affected versions

< 1.2.1

Patched versions

1.2.1

Description

Overview

Version 1.2.1 of the libpulse-binding Rust crate, released on the 15th of June 2018, fixed a pair of use-after-free issues with the objects returned by the get_format_info and get_context methods of Stream objects. These objects were mistakenly being constructed without setting an important flag to prevent destruction of the underlying C objects they reference upon their own destruction.

This advisory is being written retrospectively, having previously only been noted in the changelog. No CVE assignment was sought.

Patches

Users are required to update to version 1.2.1 or newer.

Versions older than 1.2.1 have been yanked from crates.io. This was believed to have already been done at the time of the 1.2.1 release, but upon double checking now they were found to still be available, so has been done now (22nd October 2020).

References

@jnqnfe jnqnfe published to jnqnfe/pulse-binding-rust Oct 22, 2020
Reviewed Aug 18, 2021
Published to the GitHub Advisory Database Aug 25, 2021
Last updated Jan 11, 2023

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-ghpq-vjxw-ch5w

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.