Skip to content

Fix incomplete affected functions for RUSTSEC-2026-0041#2724

Draft
Marcono1234 wants to merge 1 commit intorustsec:mainfrom
Marcono1234:lz4_flex
Draft

Fix incomplete affected functions for RUSTSEC-2026-0041#2724
Marcono1234 wants to merge 1 commit intorustsec:mainfrom
Marcono1234:lz4_flex

Conversation

@Marcono1234
Copy link

@Marcono1234 Marcono1234 commented Mar 17, 2026
edited
Loading

See also PSeitz/lz4_flex#213 (comment)

CC @PSeitz

(Question to the rustsec maintainers mostly) What exact effect does affected.functions have though, and can it cause false negatives? E.g. when someone uses an ancient lz4_flex version (quite unlikely though) where the API was different, would that be erroneously be considered safe? Maybe the implementation back then was actually not affected by this vulnerability, though might be better to err on the safe side and flag usage of such old versions as vulnerable?

Marcono1234
Marcono1234 commented Mar 17, 2026
View reviewed changes
crates/lz4_flex/RUSTSEC-2026-0041.md
Comment on lines -31 to +40
- Decompressing with the `unsafe` implementation (`safe-decode` feature flag disabled, which
is the default): can leak content of uninitialized memory as part of the decompressed result.
- Decompressing with the `unsafe` implementation (`safe-decode` feature flag disabled; flag is
enabled by default): can leak content of uninitialized memory as part of the decompressed result.
Copy link
Author

@Marcono1234 Marcono1234 Mar 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reworded this to make it (hopefully) clearer; "which is the default" might have been ambiguous, e.g. whether it means "the flag is enabled by default" or "the flag being disabled is the default".

I hope that is ok.

Marcono1234
Marcono1234 commented Mar 17, 2026
View reviewed changes
crates/lz4_flex/RUSTSEC-2026-0041.md
Comment on lines +14 to +21
"lz4_flex::block::decompress" = ["<= 0.11.5", "= 0.12.0"]
"lz4_flex::block::decompress_with_dict" = ["<= 0.11.5", "= 0.12.0"]
"lz4_flex::block::decompress_size_prepended" = ["<= 0.11.5", "= 0.12.0"]
"lz4_flex::block::decompress_size_prepended_with_dict" = ["<= 0.11.5", "= 0.12.0"]
# Deprecated re-exports
"lz4_flex::decompress" = ["<= 0.11.5", "= 0.12.0"]
"lz4_flex::decompress_into" = ["<= 0.11.5", "= 0.12.0"]
"lz4_flex::decompress_size_prepended" = ["<= 0.11.5", "= 0.12.0"]
Copy link
Author

@Marcono1234 Marcono1234 Mar 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope I did not overlook something here. If possible please double-check.

@djc
Copy link
Member

djc commented Mar 17, 2026

(Question to the rustsec maintainers mostly) What exact effect does affected.functions have though, and can it cause false negatives? E.g. when someone uses an ancient lz4_flex version (quite unlikely though) where the API was different, would that be erroneously be considered safe? Maybe the implementation back then was actually not affected by this vulnerability, though might be better to err on the safe side and flag usage of such old versions as vulnerable?

I don't know how various tools consume this information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Marcono1234 @djc