===================================================================                                 CERT-Renater

                       Note d'Information No. 2023/VULN270

_____________________________________________________________________

DATE                : 29/08/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running mail-internals (Rust).

====================================================================https://github.com/advisories/GHSA-rcx8-48pc-v9q8
_____________________________________________________________________


mail-internals use-after-free vulnerability in `vec_insert_bytes`

Moderate severity GitHub Reviewed Published Aug 24, 2023 to the
GitHub Advisory Database • Updated Aug 24, 2023

Vulnerability details

Package
mail-internals (Rust)

Affected versions
>= 0.2.0, <= 0.2.3

Patched versions
None


Description

Incorrect reallocation logic in the function vec_insert_bytes causes
a use-after-free.

This function does not have to be called directly to trigger the
vulnerability because many methods on EncodingWriter call this
function internally.

The mail-* suite is unmaintained and the upstream sources have been
actively vandalised.

A fixed mail-internals-ng (and mail-headers-ng and mail-core-ng)
crate has been published which fixes this, and a dependency on
another unsound crate.


References

 
https://github.com/rustsec/advisory-db/blob/main/crates/mail-internals/RUSTSEC-2023-0054.md
     https://rustsec.org/advisories/RUSTSEC-2023-0054.html

Published to the GitHub Advisory Database Aug 24, 2023
Reviewed Aug 24, 2023
Last updated Aug 24, 2023

Severity
Moderate

Weaknesses
No CWEs

CVE ID
No known CVE

GHSA ID
GHSA-rcx8-48pc-v9q8



========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================