[RUSTSEC-2024-0360] `XmpFile::close` can trigger UB

Affected Packages 1

Fixed Packages 1

Affected versions of the crate failed to catch C++ exceptions raised within the XmpFile::close function. If such an exception occured, it would trigger undefined behavior, typically a process abort.

This is best demonstrated in issue #230, where a race condition causes the close call to fail due to file I/O errors.

This was fixed in PR #232 (released as crate version 1.9.0), which now safely handles the exception.

For backward compatibility, the existing API ignores the error. A new API XmpFile::try_close was added to allow callers to receive and process the error result.

Users of all prior versions of xmp_toolkit are encouraged to update to version 1.9.0 to avoid undefined behavior.

Package	Affected Version
pkg:cargo/xmp_toolkit	< 1.9.0

Package	Fixed Version
pkg:cargo/xmp_toolkit	>= 1.9.0

ID: RUSTSEC-2024-0360
URL: https://rustsec.org/advisories/RUSTSEC-2024-0360.html
Published: 2024-07-26T00:00:00
(6 weeks ago)
Modified: 2024-07-26T18:09:25
(6 weeks ago)

Source	# ID	URL
		https://github.com/adobe/xmp-toolkit-rs/issues/233
crates.io	xmp_toolkit	https://crates.io/crates/xmp_toolkit
rustsec.org	xmp_toolkit	https://rustsec.org/packages/xmp_toolkit.html

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Fixed	pkg:cargo/xmp_toolkit		xmp_toolkit	>= 1.9.0
Affected	pkg:cargo/xmp_toolkit		xmp_toolkit	< 1.9.0