Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS12OTM1LXBxbXItZzh2Oc0W1w

Moderate
Permalink JSON

Unexpected panics in num-bigint

Affected Packages Affected Versions Fixed Versions
cargo:num-bigint >= 0.4.1, < 0.4.3 0.4.3
1,081 Dependent packages
20,513 Dependent repositories
234,000,750 Downloads total

Affected Version Ranges

All affected versions

0.4.1, 0.4.2

All unaffected versions

0.1.32, 0.1.33, 0.1.35, 0.1.36, 0.1.37, 0.1.38, 0.1.39, 0.1.40, 0.1.41, 0.1.42, 0.1.43, 0.1.44, 0.1.45, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.3, 0.4.4, 0.4.5, 0.4.6

Impact

Two scenarios were reported where BigInt and BigUint multiplication may unexpectedly panic.

  • The internal mac3 function did not expect the possibility of non-empty all-zero inputs, leading to an unwrap() panic.
  • A buffer was allocated with less capacity than needed for an intermediate result, leading to an assertion panic.

Rust panics can either cause stack unwinding or program abort, depending on the application configuration. In some settings, an unexpected panic may constitute a denial-of-service vulnerability.

Patches

Both problems were introduced in version 0.4.1, and are fixed in version 0.4.3.

For more information

If you have any questions or comments about this advisory, please open an issue in the num-bigint repo.

Acknowledgements

Thanks to Guido Vranken and Arvid Norberg for privately reporting these issues to the author.

References

References:

Identifiers

GHSA-v935-pqmr-g8v9

Risk

Severity

Moderate

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/rust-num/num-bigint

Date and time

Published

over 3 years ago

Updated

over 2 years ago

API

JSON