Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN445
_____________________________________________________________________

DATE                : 15/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running slice-ring-buffer (crates.io) 
                           versions prior to 0.3.4.

=====================================================================
https://rustsec.org/advisories/RUSTSEC-2025-0044.html
_____________________________________________________________________

RUSTSEC-2025-0044

Four unique double-free vulnerabilities triggered via safe APIs

Reported      June 16, 2025 
Issued        July 14, 2025 
Package       slice-ring-buffer (crates.io) 
Type          Vulnerability 
Categories    memory-corruption

Keywords    #memory-safety #double-free 

References
        https://github.com/LiquidityC/slice_ring_buffer/issues/12

Patched       no patched versions 

Affected Functions                             Version
slice_ring_buffer::IntoIter::clone             <=0.3.4

slice_ring_buffer::SliceRingBuffer::extend_from_slice
                                               <=0.3.4
slice_ring_buffer::SliceRingBuffer::insert
                                             <=0.3.4

slice_ring_buffer::SliceRingBuffer::shrink_to_fit
                                             <=0.3.4


Description

The crate slice-ring-buffer was developed as a fork of
slice-deque to continue maintenance and provide security
patches, since the latter has been officially unmaintained
(RUSTSEC-2020-0158).

While slice-ring-buffer has addressed some previously
reported memory safety issues inherited from its fork
origin (RUSTSEC-2021-0047), it still retains multiple
unresolved memory corruption vulnerabilities.

Specifically, we have discovered four new memory safety
bugs, each resulting in double-free violations that can
occur when only safe APIs are invoked. These vulnerabilities
correspond to four distinct safe APIs in the crate, each
exposing unsound and vulnerable behavior due to incorrect
usage of unsafe code internally.

Unfortunately, the maintainer doesn't have much availability
to resolve these issues so there's no concrete timeline for
fixes. Community contributions towards fixing these
vulnerabilities would be much appreciated.


Advisory available under CC0-1.0 license. 

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================