Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mcTMzLXZtaHYtNDh4aM4AAyoP

ntru-rs has unsound FFI: Wrong API usage causes write past allocated area

The following usage causes undefined behavior.

let kp: ntru::types::KeyPair = …;
kp.get_public().export(Default::default())

When compiled with debug assertions, the code above will trigger a attempt to subtract with overflow panic before UB occurs.
Other mistakes (e.g. using EncParams from a different key) may always trigger UB.

Likely, older versions of this crate are also affected, but have not been tested.

Permalink: https://github.com/advisories/GHSA-fq33-vmhv-48xh
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mcTMzLXZtaHYtNDh4aM4AAyoP
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago


Identifiers: GHSA-fq33-vmhv-48xh
References: Repository: https://github.com/FrinkGlobal/ntru-rs
Blast Radius: 0.0

Affected Packages

cargo:ntru
Dependent packages: 0
Dependent repositories: 1
Downloads: 55,505 total
Affected Version Ranges: >= 0.4.3, <= 0.5.6
No known fixed version
All affected versions: 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6