Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03dm02LXF3aDUtOXg0NM4ABA9B
loona-hpack Panic Vulnerability
Summary
loona-hpack suffers from the same vulnerability as the original hpack as documented in https://github.com/mlalic/hpack-rs/issues/11
Details
The original includes a very nice description of the problem, as well as an easy-enough fix for it.
PoC
The original example pretty much still applies:
use loona_hpack::Decoder;
pub fn main() {
let input = &[0x3f];
let mut decoder = Decoder::new();
let _ = decoder.decode(input);
}
Impact
From the original:
All users who try to decode untrusted input using the Decoder are vulnerable to this exploit. A patched version of the crate is available on [crates.io](https://crates.io/crates/hpack-patched) under the name hpack-patched. See [Cargo's documentation on overriding dependencies](https://doc.rust-lang.org/cargo/reference/overriding-dependencies.html) for more information.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03dm02LXF3aDUtOXg0NM4ABA9B
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 16 days ago
Updated: 16 days ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-7vm6-qwh5-9x44, CVE-2024-51502
References:
- https://github.com/bearcove/loona/security/advisories/GHSA-7vm6-qwh5-9x44
- https://github.com/mlalic/hpack-rs/issues/11
- https://github.com/bearcove/loona/commit/9a4028ec6484f50a320281271a41a5040ddb1ba8
- https://github.com/advisories/GHSA-w7hm-hmxv-pvhf
- https://nvd.nist.gov/vuln/detail/CVE-2024-51502
- https://github.com/advisories/GHSA-7vm6-qwh5-9x44
Blast Radius: 1.0
Affected Packages
cargo:loona-hpack
Dependent packages: 0Dependent repositories: 0
Downloads: 2,409 total
Affected Version Ranges: <= 0.4.2
Fixed in: 0.4.3
All affected versions: 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2
All unaffected versions: 0.4.3