How the CVE Works:
The vulnerability in `array-init-cursor` arises due to improper handling of types implementing the `Drop` trait. When a cursor is used with such types, the `Drop` implementation executes twice, leading to a double-free scenario. This occurs because the cursor fails to enforce proper ownership semantics, causing the destructor to run multiple times on the same memory. While this does not affect `Copy` types (e.g., u8) or indirect usage via planus, it poses a risk for custom `Drop` types, potentially causing memory corruption or undefined behavior. The issue stems from incorrect lifetime management within the cursor’s initialization logic.
DailyCVE Form:
Platform: Rust crate
Version: array-init-cursor
Vulnerability: Double-free
Severity: Low
Date: Mar 31, 2025
What Undercode Say:
Exploit:
- Craft a custom type implementing `Drop` with side effects (e.g., logging, file ops).
- Use `array-init-cursor` to initialize an array of this type.
3. Observe duplicate side effects or memory corruption.
PoC Code:
struct Malicious {
data: String,
}
impl Drop for Malicious {
fn drop(&mut self) {
println!("Dropped: {}", self.data); // Logs twice
}
}
let _ = array_init_cursor::ArrayCursor::new([bash]);
Protection:
1. Avoid using `array-init-cursor` with `Drop` types.
2. Migrate to `planus` if possible.
3. Patch by forking and fixing ownership handling.
Analytics:
- Impact: Low (requires specific type usage).
- Attack Surface: Limited to custom `Drop` types.
- Mitigation Complexity: Trivial (avoidance).
Commands:
- Check dependency usage:
cargo tree | grep array-init-cursor
- Force upgrade in
Cargo.toml:[bash] array-init-cursor = { git = "https://patched/repo" }
Patch Suggestion:
// Ensure single ownership in cursor initialization
fn new(items: [bash]) -> Self {
let _ = std::mem::ManuallyDrop::new(items); // Prevent double-drop
Self { / ... / }
}
References:
Reported By: https://github.com/advisories/GHSA-67r5-rqwv-9p9q
Extra Source Hub:
Undercode
