CVE-2021-45692

Vulnerability

The messagepack-rs crate (all versions up to and including 2021-01-26) contains a vulnerability in several deserialization functions. The functions deserialize_extension_others, deserialize_binary, deserialize_string, and deserialize_unknown pass uninitialized memory to a user-provided Read implementation. This occurs because they use unsafe { buf.set_len(size); } to set the length of a Vec without first initializing the buffer, then read into that uninitialized memory. This can lead to reading from uninitialized memory locations [1][2][3].

Exploitation

An attacker who can control the data passed to a Read implementation used by these deserialization functions can trigger the vulnerability. The attacker does not need special privileges; any code that deserializes untrusted data using the vulnerable functions may be affected. The exploit requires that the attacker craft a malicious input that, when deserialized, causes the affected functions to read from uninitialized memory [2][3].

Impact

Successful exploitation can lead to exposure of uninitialized memory, which may contain sensitive information. This is a memory-exposure vulnerability that violates Rust's memory safety guarantees. The impact could include information disclosure (e.g., leaking secrets or sensitive data) and potentially undefined behavior [3].

Mitigation

As of the latest advisory (June 2023), there are no patched versions of the messagepack-rs crate [3]. The repository [4] shows no fix has been released. Users should avoid using this crate for processing untrusted data until a fix is available, or switch to an alternative MessagePack implementation.