CVE-2021-28308

CVE-2021-28308: Out-of-bounds read in fltk pixmap constructor

An out-of-bounds read vulnerability exists in the fltk crate for Rust, a set of bindings for the FLTK GUI library. The flaw resides in the pixmap constructor, which does not perform proper input validation when constructing a Pixmap object. This lack of validation can lead to the reading of memory beyond the allocated buffer. The issue is present in versions prior to 0.15.3 [1][2][3].

Attack

Vector and Prerequisites

The vulnerability can be triggered when an attacker is able to supply malformed or specially crafted pixmap data to the Pixmap::new function. While no authentication is required to invoke the vulnerable function, the attacker would need some way to influence the pixmap data processed by the application, such as by providing manipulated image files or through data injection into an interface that uses the pixmap loader. The crate's cross-platform nature makes this issue relevant across Windows, Linux, and macOS when using the bundled FLTK library [1][2][3].

Impact

Successful exploitation of this out-of-bounds read could lead to information disclosure, as an attacker may read sensitive data from adjacent memory regions. Additionally, the behavior could cause a program crash, resulting in a denial of service. The RustSec advisory categorizes this as a memory safety issue with undefined behavior, which can potentially be leveraged for more severe consequences depending on the application's context [3].

Mitigation

The vulnerability has been patched in fltk crate version 0.15.3 and later. Users are advised to update their Cargo.toml dependency to "^1.5" or newer, which includes the fix [1][2][3]. No workarounds are documented; the only recommended mitigation is to upgrade to the patched version.