CVE-2020-35894 – This vulnerability in the Rust obstack crate al... (How to Fix)

Q: How do I fix CVE-2020-35894?

1. Update Cargo.toml to specify obstack = "^0.1.4" or higher. 2. Run 'cargo update' to fetch the patched version. 3. Rebuild and redeploy your Rust application.

Q: What is the severity of CVE-2020-35894?

CVE-2020-35894 has a CVSS score of 7.5 (HIGH). This vulnerability in the Rust obstack crate allows unaligned memory references, which can lead to memory corruption and potential crashes. It affects Rust applications using obstack versions before 0.1.4. Developers using this crate in their Rust projects are primarily affected.

📋 TL;DR

This vulnerability in the Rust obstack crate allows unaligned memory references, which can lead to memory corruption and potential crashes. It affects Rust applications using obstack versions before 0.1.4. Developers using this crate in their Rust projects are primarily affected.

💻 Affected Systems

Products:

obstack Rust crate

Versions: All versions before 0.1.4

Operating Systems: All operating systems running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Rust applications that directly or transitively depend on obstack crate versions <0.1.4.

📦 What is this software?

Obstack by Obstack Project

View all CVEs affecting Obstack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory corruption leading to arbitrary code execution, denial of service, or data corruption in applications using the vulnerable obstack crate.

🟠

Likely Case

Application crashes, undefined behavior, or memory corruption errors when handling specific memory operations.

🟢

If Mitigated

No impact if using patched version or if application doesn't trigger the specific memory alignment conditions.

🌐 Internet-Facing: MEDIUM - Depends on how the application uses obstack; could be exploited if attacker can influence memory operations.

🏢 Internal Only: MEDIUM - Similar risk profile but limited to internal systems using vulnerable applications.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific conditions to trigger unaligned memory references; no public exploits known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1.4

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0040.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to specify obstack = "^0.1.4" or higher. 2. Run 'cargo update' to fetch the patched version. 3. Rebuild and redeploy your Rust application.

🔧 Temporary Workarounds

Pin to patched version

all

Force dependency resolution to use patched version 0.1.4 or later

cargo update -p obstack

🧯 If You Can't Patch

Remove or replace obstack dependency with alternative memory management crate
Implement input validation and bounds checking around memory operations using obstack

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock for obstack version <0.1.4 or run 'cargo tree | grep obstack'

Check Version:

grep obstack Cargo.lock | head -1

Verify Fix Applied:

Verify Cargo.lock shows obstack version 0.1.4 or higher after update

📡 Detection & Monitoring

Log Indicators:

Segmentation faults
Memory access violation errors
Unaligned memory access warnings

Network Indicators:

None specific - this is a local memory corruption issue

SIEM Query:

Application logs containing 'segmentation fault', 'SIGSEGV', or 'unaligned' errors from Rust applications

📊 Metadata

CVE ID: CVE-2020-35894

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-706

Published: December 31, 2020

Last Updated: November 21, 2024

🔗 References

https://rustsec.org/advisories/RUSTSEC-2020-0040.html Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2020-0040.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35894, you might also want to check these: