CVE-2023-28448: 
Rust vulnerability analysis and mitigation

Versionize, a framework for version tolerant serialization/deserialization of Rust data structures, was found to contain a vulnerability identified as CVE-2023-28448. The vulnerability was discovered in the 'Versionize::deserialize' implementation provided by the 'versionize' crate for 'vmmsysutils::fam::FamStructWrapper', which could lead to out-of-bounds memory accesses. The issue affected versions from 0.1.1 and was patched in version 0.1.10 (GitHub Advisory).

The vulnerability stems from the way FamStructWrapper handles C-style flexible array members. The data format stores the size of the allocation twice: once in the header (len1) and again as metadata of the memory allocation (len2). During deserialization, the library separately deserializes the header and memory allocation, allocating len2 bytes of memory and prefixing it with the separately deserialized header. Since len2 is an implementation detail, it's forgotten after deserialization, and subsequent operations assume the memory allocated has size len1. If len1 != len2 in malformed input, this can lead to out-of-bounds memory access. The vulnerability has a CVSS v3.1 base score of 7.5 (HIGH) according to NVD assessment (NVD).

When exploited, this vulnerability could lead to out-of-bounds memory accesses, particularly if len1 > len2 in the deserialized data. This could potentially result in unauthorized access to memory contents beyond the intended boundaries of the allocated memory (GitHub PR).

The issue was fixed in version 0.1.10 of the versionize crate by implementing a check that verifies the lengths of compared flexible arrays are equal for any deserialized header. The fix aborts deserialization if a mismatch is detected. Users are advised to upgrade to version 0.1.10 or later (GitHub Commit).