Skip to content

Parsing borsh messages with ZST which are not-copy/clone is unsound

Moderate severity GitHub Reviewed Published Apr 17, 2023 to the GitHub Advisory Database • Updated Sep 29, 2023

Package

cargo borsh (Rust)

Affected versions

<= 0.10.3

Patched versions

1.0.0-alpha.1

Description

Affected versions of borsh cause undefined behavior when zero-sized-types (ZST) are parsed and the Copy/Clone traits are not implemented/derived. For instance if 1000 instances of a ZST are deserialized, and the ZST is not copy (this can be achieved through a singleton), then accessing/writing to deserialized data will cause a segmentation fault.

There is currently no way for borsh to read data without also providing a Rust type. Therefore, if you are not using ZST for serialization, then you are not affected by this issue.

References

Published to the GitHub Advisory Database Apr 17, 2023
Reviewed Apr 17, 2023
Last updated Sep 29, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-fjx5-qpf4-xjf2

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.