Advisories for Cargo/Diesel package

Diesel uses the sqlite3_value_text function to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as *const c_char. Based on that we used str::from_utf8_unchecked to construct a Rust string slice without any additional UTF-8 checks in place. It turned out that this function doesn't always return correct UTF-8 strings. For field of the SQLite side …

The following presentation at this year's DEF CON was brought to our attention on the Diesel Gitter Channel:

An issue was discovered in the diesel crate before 1.4.6 for Rust. There is a use-after-free in the SQLite backend because the semantics of sqlite3_column_name are not followed.