Skip to content

linkme fails to ensure slice elements match the slice's declared type

Low severity GitHub Reviewed Published Dec 4, 2024 to the GitHub Advisory Database

Package

cargo linkme (Rust)

Affected versions

< 0.3.24

Patched versions

0.3.24

Description

Affected versions allow populating a DistributedSlice of T with elements of an arbitrary other type that coerces to T. For example, elements of type &&str could end up in a slice of type [&str], since &&str coerces to &str via a deref coercion.

The flaw was corrected by implementing typechecking for distributed slice elements in such a way that coercion no longer occurs. The element's type must be a subtype of the slice's declared element type.

References

Published to the GitHub Advisory Database Dec 4, 2024
Reviewed Dec 4, 2024

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-f95p-4cv5-8w8x

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.