GHSA-2rxc-gjrp-vjhx

Suggest an improvement
Source
https://github.com/advisories/GHSA-2rxc-gjrp-vjhx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-2rxc-gjrp-vjhx/GHSA-2rxc-gjrp-vjhx.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-2rxc-gjrp-vjhx
Related
Published
2024-12-04T18:31:31Z
Modified
2024-12-04T18:31:31Z
Summary
Unsoundness in anstream
Details

When given a valid UTF8 string "ö\x1b😀", the function in crates/anstream/src/adapter/strip.rs will be confused. The UTF8 bytes are \xc3\xb6 then \x1b then \xf0\x9f\x98\x80.

When looping over "non-printable bytes" \x1b\xf0 will be considered as some non-printable sequence.

This will produce a broken str from the incorrectly segmented bytes via str::fromutf8unchecked, and that should never happen.

Full credit goes to @Ralith who reviewed this code and asked @burakemir to follow up.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-04T18:31:31Z"
}
References

Affected packages

crates.io / anstream

Package

Name
anstream
View open source insights on deps.dev
Purl
pkg:cargo/anstream

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.6.8