GHSA-xpp3-xrff-w6rh: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-xpp3-xrff-w6rh) affects the RocksDB Rust implementation, specifically versions prior to 0.19.0. The issue was discovered and reported on May 11, 2022, and was publicly disclosed on August 11, 2022. The vulnerability involves an out-of-bounds read condition when using the rocksdb::DBWithThreadMode::opencfdescriptorswithttl() function with multiple column families (RustSec Advisory, GitHub Advisory).

The vulnerability stems from an incorrect implementation where the RocksDB C API rocksdbopencolumnfamilieswith_ttl() was called with a pointer to a single integer TTL value, whereas the API expects one TTL value for each column family. This implementation error could lead to an out-of-bounds read when multiple column families are involved. The issue was identified and fixed through a pull request that addressed the buffer over-read condition (RocksDB PR).

The vulnerability affects applications using the rocksdb crate's DBWithThreadMode::opencfdescriptorswithttl() function with multiple column families. When exploited, it could lead to memory corruption through out-of-bounds read operations (RustSec Advisory).

The vulnerability has been fixed in version 0.19.0 of the rocksdb crate. Users are advised to upgrade to this version or later to address the issue. The fix involves correcting the implementation to properly handle TTL values for multiple column families (RocksDB Release).