Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05Nmp2LXI0ODgtYzJyas4AAw1m
bzip2 allows attackers to cause a denial of service via a large file that triggers an integer overflow
The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05Nmp2LXI0ODgtYzJyas4AAw1m
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-96jv-r488-c2rj, CVE-2023-22895
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-22895
- https://github.com/alexcrichton/bzip2-rs/pull/86
- https://crates.io/crates/bzip2/versions
- https://rustsec.org/advisories/RUSTSEC-2023-0004.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/MI5SVRSGKBWB2JGDLDVIFY5ZQVDZP6I7/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/SQK57GGXJX3AH7KF6S7S3N7JC5QOYUQ7/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/UUK2JO25PPA6XBREKJRBLRCD22LKIOLO/
- https://github.com/alexcrichton/bzip2-rs/commit/90c9c182cd5a5ebc75810aebd89b347a7bdf590b
- https://github.com/advisories/GHSA-96jv-r488-c2rj
Blast Radius: 28.0
Affected Packages
cargo:bzip2
Dependent packages: 186Dependent repositories: 5,415
Downloads: 20,313,683 total
Affected Version Ranges: < 0.4.4
Fixed in: 0.4.4
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.1, 0.4.2, 0.4.3
All unaffected versions: 0.4.4