Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14M2Y0LTQ1eGYtcmptN84ABB_o
`ruzstd` uninit and out-of-bounds memory reads
Affected versions of ruzstd miscalculate the length of the allocated and init section of its internal RingBuffer, leading to uninitialized or out-of-bounds reads in copy_bytes_overshooting of up to 15 bytes.
This may result in up to 15 bytes of memory contents being written into the decoded data when decompressing a crafted archive. This may occur multiple times per archive.
Permalink: https://github.com/advisories/GHSA-x3f4-45xf-rjm7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14M2Y0LTQ1eGYtcmptN84ABB_o
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 2 days ago
Updated: 2 days ago
Identifiers: GHSA-x3f4-45xf-rjm7
References:
- https://github.com/KillingSpark/zstd-rs/issues/75
- https://github.com/KillingSpark/zstd-rs/pull/76
- https://rustsec.org/advisories/RUSTSEC-2024-0400.html
- https://github.com/advisories/GHSA-x3f4-45xf-rjm7
Blast Radius: 0.0
Affected Packages
cargo:ruzstd
Dependent packages: 25Dependent repositories: 1,112
Downloads: 9,204,134 total
Affected Version Ranges: >= 0.7.0, < 0.7.3
Fixed in: 0.7.3
All affected versions: 0.7.0, 0.7.1, 0.7.2
All unaffected versions: 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.7.3