CVE-2020-36513

Vulnerability

The acc_reader crate through version 2020-12-27 contains a memory-safety issue in its fill_buf() and read_up_to() methods. The fill_buf() implementation (as shown in the BufRead impl) uses unsafe code to grow the internal buffer without initializing the new capacity, then passes a slice of that uninitialized buffer to a user-provided Read implementation. Any Read implementation can read from this uninitialized memory, producing undefined values and potentially triggering undefined behavior. The read_up_to() function suffers from the same flaw [1][3].

Exploitation

An attacker can exploit this by crafting a malicious Read implementation that reads from the uninitialized buffer passed by the acc_reader. No special network position or authentication is required; the attacker only needs to control the Read source provided to AccReader. The vulnerable code path is triggered whenever fill_buf() or read_up_to() is called and the internal buffer needs to be extended (i.e., when available == 0) [1].

Impact

Successful exploitation leads to reading uninitialized memory, which can expose sensitive data or produce undefined values. Since undefined values can propagate, this can quickly lead to undefined behavior, potentially including crashes, logic errors, or other memory-safety violations. The vulnerability is classified as a memory-exposure issue and can compromise the confidentiality and integrity of the application [3].

Mitigation

As of the latest advisory (June 2023), no patched version of the acc_reader crate has been released. The maintainer has indicated they are no longer able to support the library, so no fix is forthcoming [3][4]. Users should avoid using the acc_reader crate and migrate to an alternative library. The crate is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.