{
  "schema_version": "1.4.0",
  "id": "GHSA-ghpq-vjxw-ch5w",
  "modified": "2021-08-18T20:41:10Z",
  "published": "2021-08-25T20:56:52Z",
  "aliases": [],
  "summary": "Use after free in libpulse-binding",
  "details": "### Overview\n\nVersion 1.2.1 of the `libpulse-binding` Rust crate, released on the 15th of June 2018, fixed a pair of use-after-free issues with the objects returned by the `get_format_info` and `get_context` methods of `Stream` objects. These objects were mistakenly being constructed without setting an important flag to prevent destruction of the underlying C objects they reference upon their own destruction.\n\nThis advisory is being written retrospectively, having previously only been noted in the changelog. No CVE assignment was sought.\n\n### Patches\n\nUsers are required to update to version 1.2.1 or newer.\n\nVersions older than 1.2.1 have been yanked from crates.io. This was believed to have already been done at the time of the 1.2.1 release, but upon double checking now they were found to still be available, so has been done now (22nd October 2020).",
  "severity": [],
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "libpulse-binding"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jnqnfe/pulse-binding-rust/security/advisories/GHSA-ghpq-vjxw-ch5w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jnqnfe/pulse-binding-rust"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2018-0021.html"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-18T20:41:10Z",
    "nvd_published_at": null
  }
}