CVE-2020-36205

The xcb crate for Rust provides bindings to the X11 protocol. A soundness issue exists in the base::Error type, which contains a public ptr field [1][3]. Because the field is publicly accessible, safe Rust code can construct an Error instance with an arbitrary pointer, violating Rust's memory safety guarantees [4].

An attacker can exploit this by creating an Error object pointing to a stack or heap variable, then dropping the original variable while the Error still holds the pointer. This leads to a use-after-free condition. The RustSec advisory notes that the vulnerability can be triggered without any unsafe code, as the struct's fields are public [3]. A proof-of-concept demonstrates that after creating an Error with a pointer to a vector's buffer, subsequent operations on the vector can cause double-free or use-after-free [4].

The impact is primarily on availability, as the vulnerability can cause memory corruption leading to crashes or undefined behavior. The CVSS score is 5.5 (Medium) with availability impact rated High [3]. Confidentiality and integrity are not directly affected, but memory corruption could potentially be leveraged further.

The issue was fixed in version 1.0 of the xcb crate [3]. Users should upgrade to xcb >=1.0. The advisory recommends that the Error struct should have a hidden constructor or be marked unsafe to prevent misuse [4].