GHSA-f95p-4cv5-8w8x: linkme fails to ensure slice elements match the slice's declared type

December 4, 2024

Affected versions allow populating a DistributedSlice of T with elements of an arbitrary other type that coerces to T. For example, elements of type &&str could end up in a slice of type [&str], since &&str coerces to &str via a deref coercion.

The flaw was corrected by implementing typechecking for distributed slice elements in such a way that coercion no longer occurs. The element’s type must be a subtype of the slice’s declared element type.

References

github.com/advisories/GHSA-f95p-4cv5-8w8x
github.com/dtolnay/linkme
github.com/dtolnay/linkme/issues/82
rustsec.org/advisories/RUSTSEC-2024-0407.html

Code Behaviors & Features

Detect and mitigate GHSA-f95p-4cv5-8w8x with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →