GHSA-qvc4-78gw-pv8p: 
Rust vulnerability analysis and mitigation

A moderate severity vulnerability was discovered in the enumflags2 Rust package (GHSA-qvc4-78gw-pv8p) affecting versions 0.7.0 through 0.7.7. The vulnerability involves the make_bitflags! macro, which incorrectly assumes that expressions of the form Enum::Variant always represent an enum variant, potentially leading to undefined behavior. The issue was published and reviewed on April 24, 2023 (GitHub Advisory).

The vulnerability stems from the make_bitflags! macro's assumption about enum variant expressions. The macro fails to account for cases where an expression could be an associated integer constant rather than an enum variant. In such cases, there's no guarantee that the constant's value consists only of valid bits for the bitflag type. When invalid BitFlags are created, operations like iteration or debug formatting that internally iterate over the value trigger undefined behavior (RustSec Advisory).

When exploited, this vulnerability can lead to undefined behavior in Rust programs using the enumflags2 package. The impact is particularly notable when attempting to print or iterate over BitFlags created with invalid values, as these operations can trigger the undefined behavior (GitHub Release).

The vulnerability has been patched in version 0.7.7 of the enumflags2 package. All affected versions (0.7.0 through 0.7.6) have been yanked from the registry. Users should upgrade to version 0.7.7 or later to address this security issue (RustSec Advisory).