GHSA-ghpq-vjxw-ch5w: 
Rust vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the libpulse-binding Rust crate affecting versions prior to 1.2.1. The vulnerability was identified in the objects returned by the get_format_info and get_context methods of Stream objects. The issue was fixed in version 1.2.1, released on June 15, 2018. The vulnerability was assigned multiple identifiers including GHSA-ghpq-vjxw-ch5w, CVE-2018-25027, and CVE-2018-25028 (RustSec).

The vulnerability stems from a programming error where objects were constructed without setting a crucial flag that would prevent the destruction of underlying C objects upon their own destruction. This oversight specifically affected the get_format_info and get_context methods of Stream objects, leading to potential use-after-free scenarios. The issue was classified with CWE-416 (Use After Free) and received a High severity rating (GitHub Advisory).

The vulnerability could lead to memory corruption issues due to the use-after-free condition in the affected methods. This could potentially result in program crashes or undefined behavior when using the affected functions in the libpulse-binding crate (RustSec).

Users are required to update to version 1.2.1 or newer of the libpulse-binding crate. All versions older than 1.2.1 have been yanked from crates.io as of October 22, 2020, to prevent new projects from using vulnerable versions (GitHub Advisory).