CVE-2019-16881: Use after free in portaudio-rs

August 25, 2021 (updated June 13, 2023)

Affected versions of this crate is not panic safe within callback functions stream_callback and stream_finished_callback. The call to user-provided closure might panic before a mem::forget call, which then causes a use after free that grants attacker to control the callback function pointer. This allows an attacker to construct an arbitrary code execution .

References

github.com/advisories/GHSA-qpjr-ch72-2qq4
github.com/mvdnes/portaudio-rs
github.com/mvdnes/portaudio-rs/commit/7466df019f6739732fd91401017942c22364ef61
github.com/mvdnes/portaudio-rs/issues/20
nvd.nist.gov/vuln/detail/CVE-2019-16881
rustsec.org/advisories/RUSTSEC-2019-0022.html

Code Behaviors & Features

Detect and mitigate CVE-2019-16881 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →