chore(deps): update rust crate serde_with to v3.21.0 [security]#612
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update rust crate serde_with to v3.21.0 [security]#612renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.14.0→3.21.0serde_with: KeyValueMap serialization panics on empty sequence or map entries
GHSA-7gcf-g7xr-8hxj
More information
Details
Summary
The public
KeyValueMapserializer assumes that each mapped element has at least one field or item to use as the map key, but it subtracts1from the caller-visible length before validating that assumption. An application that serializes attacker-controlled data through#[serde_as(as = "KeyValueMap<_>")]can be crashed by an empty inner sequence or map entry.Details
The affected public surface includes:
#[serde_as(as = "KeyValueMap<_>")]values throughserde_json::to_stringor any other Serde serializer`KeyValueMapconversions for sequence and map-backed entries`The root cause is: The
KeyValueMapserializer preallocatingVec::with_capacity(len - 1)orVec::with_capacity(len.unwrap_or(17) - 1)before checking that the element actually contains the required first key field or item.The vulnerable data/control flow is: attacker-controlled empty entry ->
serde_json::to_string->KeyValueMap<TAs>::serialize_as->SeqAsMapSerializer::{serialize_seq,serialize_map}->Vec::with_capacity(len - 1)orVec::with_capacity(len.unwrap_or(17) - 1)-> panicRelevant source locations:
serde_with/src/key_value_map.rs:590serde_with/src/key_value_map.rs:599serde_with/src/key_value_map.rs:613serde_with/src/key_value_map.rs:632serde_with/src/key_value_map.rs:648PoC
Impact
A local attacker who can trigger serialization of attacker-controlled data through
KeyValueMapcan terminate the process, causing a denial of service.Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
jonasbb/serde_with (serde_with)
v3.21.0: serde_with v3.21.0Compare Source
Security
GHSA-7gcf-g7xr-8hxj: KeyValueMap serialization panics on empty sequence or map entries
Bad or attacker controlled values could cause a panic while allocating too large values.
Fixed in #966 by setting a maximum allocation size during the creation of collections like
Vecor sets.Thanks to @7thParkk for reporting the issue.
Added
NoneAsZeroadapter that mapsOption<NonZero*>to a plain integer, encodingNoneas0by @SAY-5 (#486)Changed
Fixed
unused_qualificationsand fix the resulting findings by @lms0806 (#962)v3.20.0: serde_with v3.20.0Compare Source
Added
base58encoding, similar to the existingbase64setup by @mitinarseny (#943)Fixed
base64withschemarssupport by @mitinarseny (#9949)v3.19.0: serde_with v3.19.0Compare Source
Added
Add support for
hashbrownv0.17 (#940)This extends the existing support for
hashbrownto the newly released version.v3.18.0: serde_with v3.18.0Compare Source
Added
OneOrManywith more sequence and set types (#929)Changed
darlingdependencyv3.17.0: serde_with v3.17.0Compare Source
Added
OneOrManywithsmallvecv1 (#920, #922)Changed
yaml_serdefor a maintained yaml dependency by @kazan417 (#921)yaml_serdedev-dependency.v3.16.1: serde_with v3.16.1Compare Source
Fixed
JsonSchemaAsofSetPreventDuplicatesandSetLastValueWins. (#906, #907)v3.16.0: serde_with v3.16.0Compare Source
Added
smallvecv1 under thesmallvec_1feature flag by @isharma228 (#895)JsonSchemaAsimplementation forjson::JsonStringby @yogevm15 (#901)v3.15.1: serde_with v3.15.1Compare Source
Fixed
serde_core.v3.15.0: serde_with v3.15.0Compare Source
Added
Added error inspection to
VecSkipErrorandMapSkipErrorby @michelhe (#878)This allows interacting with the previously hidden error, for example for logging.
Checkout the newly added example to both types.
Allow documenting the types generated by
serde_conv!.The
serde_conv!macro now acceps outer attributes before the optional visibility modifier.This allow adding doc comments in the shape of
#[doc = "..."]or any other attributes, such as lint modifiers.Add support for
hashbrownv0.16 (#877)This extends the existing support for
hashbrownv0.14 and v0.15 to the newly released version.Changed
tomldev-dependency.v3.14.1: serde_with v3.14.1Compare Source
Fixed
Since macros are used to generate trait implementations, this is useful to understand the exact generated code.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.