Add advisory for zipora undefined behavior

[lewismosciski]

The safe function fast_prefetch_range accepts raw pointer without validation, allowing undefined behavior through pointer wraparound.

Details

• Affects versions < 2.0.1
• Fixed in v2.0.1 by changing API to accept &[u8] instead of raw pointer
• Maintainer confirmed and patched: Soundness Issue: Public API fast_prefetch_range can lead to Undefined Behavior infinilabs/zipora#10

[djc]

@bindiego are you okay with this advisory being published?

@lewismosciski the RustSec project by policy typically requires maintainers to consent to advisories. If you're going to file lots of these, please bring along the maintainers where possible.

[lewismosciski]

Hi @djc, thanks for the heads-up on the policy.

All advisories I filed are for issues that have already been confirmed and patched by the maintainers.

I'm signing off for the day, but I'll contact the maintainers for these pending advisories to get their consent here when I'm back.

One follow-up question: For future reference, what is the policy if a maintainer doesn't respond to a vulnerability report after a reasonable amount of time? Is publishing an advisory still possible then?

[djc]

One follow-up question: For future reference, what is the policy if a maintainer doesn't respond to a vulnerability report after a reasonable amount of time? Is publishing an advisory still possible then?

See https://github.com/rustsec/advisory-db/blob/main/HOWTO_UNMAINTAINED.md.