GHSA-mrrw-grhq-86gf: 
Rust vulnerability analysis and mitigation

The Ascii crate for Rust contained a vulnerability in versions 0.6.0 through 0.9.3 that allowed out-of-bounds array indexing in safe code. The vulnerability was discovered and disclosed on February 25, 2023, and was assigned the identifier GHSA-mrrw-grhq-86gf. The issue stemmed from the implementation of From<&mut AsciiStr> for &mut [u8] and &mut str traits (RustSec Advisory).

The vulnerability was caused by unsafe implementations of From<&mut AsciiStr> trait for &mut [u8] and &mut str types. These implementations allowed writing non-ASCII values to an AsciiStr which, when read out as an AsciiChar, could produce values outside the valid niche. This could lead to out-of-bounds array indexing when compiled in release mode. The issue was demonstrated through a proof-of-concept code that showed how the vulnerability could be exploited to access array elements beyond their bounds (GitHub Issue).

The vulnerability could result in out-of-bounds array indexing in safe Rust code, potentially leading to memory corruption and undefined behavior. This is particularly concerning as it bypassed Rust's memory safety guarantees, allowing unsafe operations to be performed through safe code interfaces (GitHub Advisory).

The vulnerability was fixed in version 0.9.3 of the Ascii crate by removing the unsound trait implementations in commit 8a6c779. Users are advised to upgrade to version 0.9.3 or later to receive the security fix. For those unable to upgrade immediately, the recommendation is to avoid using the From trait implementations for &mut [u8] and &mut str on AsciiStr (RustSec Advisory).