CVE-2020-25794

Vulnerability

Overview

CVE-2020-25794 affects the sized-chunks crate for Rust, versions up to and including 0.6.2. The issue lies in the Chunk implementation's clone method, which is not panic-safe. If a panic occurs during the cloning process—for example, when cloning an element whose Clone implementation panics—the internal state of the Chunk can become inconsistent, leading to memory safety violations [1][2]. This is a classic soundness bug in unsafe Rust code, where invariants assumed by the unsafe blocks are not upheld in the presence of panics.

Exploitation

Conditions

Exploitation requires an attacker to control the data being cloned into a Chunk such that a panic is triggered during the clone operation. This can be achieved by providing a custom type with a Clone implementation that panics under specific conditions (e.g., when a certain field value is encountered). The attacker must also be able to influence the program to clone a Chunk containing such elements. No special network position or authentication is needed if the attacker can supply data to the application [1][3].

Impact

A successful exploit can result in memory corruption, including use-after-free or double-free conditions. In the context of a Rust program, this can lead to undefined behavior, potentially allowing an attacker to achieve arbitrary code execution or cause a denial of service. The RustSec advisory rates this vulnerability as HIGH severity with a CVSS score of 7.5 [3].

Mitigation

Status

The sized-chunks repository has been archived by the owner and is read-only [4]. No patched version has been released for this issue. Users of the crate are advised to avoid using the affected Chunk type or to switch to alternative implementations that provide similar functionality with proper panic safety. The RustSec advisory recommends migrating away from the crate entirely [3].