Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12OTM1LXBxbXItZzh2Oc0W1w

Unexpected panics in num-bigint

Impact

Two scenarios were reported where BigInt and BigUint multiplication may unexpectedly panic.

Rust panics can either cause stack unwinding or program abort, depending on the application configuration. In some settings, an unexpected panic may constitute a denial-of-service vulnerability.

Patches

Both problems were introduced in version 0.4.1, and are fixed in version 0.4.3.

For more information

If you have any questions or comments about this advisory, please open an issue in the num-bigint repo.

Acknowledgements

Thanks to Guido Vranken and Arvid Norberg for privately reporting these issues to the author.

References

Permalink: https://github.com/advisories/GHSA-v935-pqmr-g8v9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12OTM1LXBxbXItZzh2Oc0W1w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago


Identifiers: GHSA-v935-pqmr-g8v9
References: Repository: https://github.com/rust-num/num-bigint
Blast Radius: 0.0

Affected Packages

cargo:num-bigint
Dependent packages: 923
Dependent repositories: 20,513
Downloads: 102,143,837 total
Affected Version Ranges: >= 0.4.1, < 0.4.3
Fixed in: 0.4.3
All affected versions: 0.4.1, 0.4.2
All unaffected versions: 0.1.32, 0.1.33, 0.1.35, 0.1.36, 0.1.37, 0.1.38, 0.1.39, 0.1.40, 0.1.41, 0.1.42, 0.1.43, 0.1.44, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.3, 0.4.4