Skip to content

Add advisory for bump-scope: wrong documentation potentially leading to use-after-free#3047

Closed
bluurryy wants to merge 1 commit into
rustsec:mainfrom
bluurryy:bump-scope-misdocumented-use-after-free
Closed

Add advisory for bump-scope: wrong documentation potentially leading to use-after-free#3047
bluurryy wants to merge 1 commit into
rustsec:mainfrom
bluurryy:bump-scope-misdocumented-use-after-free

Conversation

@bluurryy

@bluurryy bluurryy commented Jul 9, 2026

Copy link
Copy Markdown

I'm the maintainer of the affected crate.

Affected crate(s)

  • bump-scope (88,910 recent downloads per crates.io)

Links to upstream issue(s) or PR(s)

Severity

Soundness issue in safety invariants of BumpAllocatorCore trait potentially leading to use-after-free bugs.

This does not affect safe code of the library. It only affects niche, unlikely to be useful or used, safety invariants.

Checklist

  • Advisory filename(s) starts with RUSTSEC-0000-0000 as the ID
  • date field is set to the public disclosure date
  • Contains a concise and descriptive title after advisory metadata
  • Asked maintainer(s) if publishing an advisory is appropriate

@djc

djc commented Jul 9, 2026

Copy link
Copy Markdown
Member

This does not affect safe code of the library. It only affects niche, unlikely to be useful or used, safety invariants.

If so, I don't think we need an advisory for it.

@bluurryy

bluurryy commented Jul 9, 2026

Copy link
Copy Markdown
Author

I do believe it is very unlikely that someone encounters that bug. Though I was thinking that for a soundness bug such as this it would be better safe than sorry, given that if someone was bitten by that bug it could hurt a lot.

I think an informational = "unsound" advisory is warranted. The description of informational = "unsound" in the MAINTAINERS_GUIDE.md fits this bug well:

informational = "unsound" is used for soundness issues that can only be triggered by a programmer (as opposed to e.g. a malicious input), and/or require very contrived code to trigger. They will be surfaced as warnings instead of hard errors by cargo audit.

@djc

djc commented Jul 9, 2026

Copy link
Copy Markdown
Member

Please have a look at

@bluurryy

bluurryy commented Jul 9, 2026

Copy link
Copy Markdown
Author

I've read through it and do think that this advisory would have a very low signal to noise ratio. In that sense I'd no longer like to add this advisory.

Thanks for the review!

@bluurryy bluurryy closed this Jul 9, 2026
@bluurryy bluurryy deleted the bump-scope-misdocumented-use-after-free branch July 12, 2026 03:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants