CVE-2020-36317

Name
CVE-2020-36317
Description
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the same string.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Exploit https://github.com/rust-lang/rust/issues/78498
Patch https://github.com/rust-lang/rust/pull/78499

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:* rust >= None < 1.49.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
rust 3.13-community 1.47.0-r2 Rasmus Thomsen <oss@cogitri.dev> possibly vulnerable