Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mcTMzLXZtaHYtNDh4aM4AAyoP
ntru-rs has unsound FFI: Wrong API usage causes write past allocated area
The following usage causes undefined behavior.
let kp: ntru::types::KeyPair = …;
kp.get_public().export(Default::default())
When compiled with debug assertions, the code above will trigger a attempt to subtract with overflow panic before UB occurs.
Other mistakes (e.g. using EncParams from a different key) may always trigger UB.
Likely, older versions of this crate are also affected, but have not been tested.
Permalink: https://github.com/advisories/GHSA-fq33-vmhv-48xhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mcTMzLXZtaHYtNDh4aM4AAyoP
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
Identifiers: GHSA-fq33-vmhv-48xh
References:
- https://github.com/FrinkGlobal/ntru-rs/issues/8
- https://rustsec.org/advisories/RUSTSEC-2023-0032.html
- https://github.com/advisories/GHSA-fq33-vmhv-48xh
Blast Radius: 0.0
Affected Packages
cargo:ntru
Dependent packages: 0Dependent repositories: 1
Downloads: 46,774 total
Affected Version Ranges: >= 0.4.3, <= 0.5.6
No known fixed version
All affected versions: 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6