Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN446
_____________________________________________________________________

DATE                : 15/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running static-alloc (crates.io) versions
                                 prior to 0.2.2.

=====================================================================
https://rustsec.org/advisories/RUSTSEC-2025-0042.html
_____________________________________________________________________


RUSTSEC-2025-0042

Uninitialized read after allocating MemBump

Reported       July 11, 2025 
Issued         July 11, 2025 
Package        static-alloc (crates.io) 
Type           INFO Unsound 
Categories
        memory-exposure
        memory-corruption

Keywords       #initialization 
References
        https://github.com/197g/static-alloc/issues/81

Patched        >=0.2.6

Unaffected     <=0.2.1

Affected Functions                          Version

static_alloc::unsync::MemBump::new           >=0.2.2


Description

The affected function, MemBump::new(), would allocate memory
without initializing it. Subsequently calling the created
value's various alloc methods would then read and write the
start of that memory as a Cell which is undefined behavior.
Instead, it should zero initialize the start of the allocated
memory.

For instance, some values could violate the internal invariants
of the type and cause an assertion failure. Nevertheless, no
deterministic read is known to cause further uninitialized
memory to be exposed.

Affected downstream users that can not upgrade are advised to
call MemBump::reset immediately after allocation to manually
perform the missing write of the counter best-as-possible.

The flaw was corrected in commit
d8d6a7d096d3aaafd963b356a8f1bbd8d26fd967 by zeroing the Cell
at the start of the allocated memory.


Advisory available under CC0-1.0 license. 


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================