Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS14dmM5LXh3Z2otNGNxOc4AArqo

Duplicate Advisory: Integer Overflow in HeaderMap::reserve() can cause Denial of Service

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-x7vr-c387-8w57. This link is maintained to preserve external references.

Original Description

HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficiently large number in release mode.

If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS).

The flaw was corrected in 0.1.20 release of http crate.

Permalink: https://github.com/advisories/GHSA-xvc9-xwgj-4cq9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14dmM5LXh3Z2otNGNxOc4AArqo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 5 months ago

Widthdrawn: 5 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-xvc9-xwgj-4cq9, CVE-2019-25008
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-25008
• https://github.com/hyperium/http/issues/352
• https://rustsec.org/advisories/RUSTSEC-2019-0033.html
• https://github.com/advisories/GHSA-xvc9-xwgj-4cq9

Repository: https://github.com/hyperium/http
Blast Radius: 34.7

Affected Packages