[RUSTSEC-2024-0360] `XmpFile::close` can trigger UB
Affected Packages
1
Fixed Packages
1
Affected versions of the crate failed to catch C++ exceptions raised within the XmpFile::close
function. If such an exception occured, it would trigger undefined behavior, typically a process abort.
This is best demonstrated in issue #230, where a race condition causes the close
call to fail due to file I/O errors.
This was fixed in PR #232 (released as crate version 1.9.0), which now safely handles the exception.
For backward compatibility, the existing API ignores the error. A new API XmpFile::try_close
was added to allow callers to receive and process the error result.
Users of all prior versions of xmp_toolkit
are encouraged to update to version 1.9.0 to avoid undefined behavior.
Package | Affected Version |
---|---|
pkg:cargo/xmp_toolkit | < 1.9.0 |
Package | Fixed Version |
---|---|
pkg:cargo/xmp_toolkit | >= 1.9.0 |
- ID
- RUSTSEC-2024-0360
- URL
- https://rustsec.org/advisories/RUSTSEC-2024-0360.html
- Published
-
2024-07-26T00:00:00
(6 weeks ago) - Modified
-
2024-07-26T18:09:25
(6 weeks ago)
Source | # ID | Name | URL |
---|---|---|---|
https://github.com/adobe/xmp-toolkit-rs/issues/233 | |||
crates.io | xmp_toolkit | https://crates.io/crates/xmp_toolkit | |
rustsec.org | xmp_toolkit | https://rustsec.org/packages/xmp_toolkit.html |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Fixed | pkg:cargo/xmp_toolkit | xmp_toolkit | >= 1.9.0 | ||||
Affected | pkg:cargo/xmp_toolkit | xmp_toolkit | < 1.9.0 |