GHSA-x3f4-45xf-rjm7

Опубликовано: 02 дек. 2024

Источник: github

Github: Прошло ревью

Описание

ruzstd uninit and out-of-bounds memory reads

Affected versions of ruzstd miscalculate the length of the allocated and init section of its internal RingBuffer, leading to uninitialized or out-of-bounds reads in copy_bytes_overshooting of up to 15 bytes.

This may result in up to 15 bytes of memory contents being written into the decoded data when decompressing a crafted archive. This may occur multiple times per archive.

Ссылки

https://github.com/KillingSpark/zstd-rs/issues/75
https://github.com/KillingSpark/zstd-rs/pull/76
https://rustsec.org/advisories/RUSTSEC-2024-0400.html

Пакеты

Наименование

ruzstd

rust

Затронутые версииВерсия исправления

>= 0.7.0, < 0.7.3

0.7.3

Дефекты

CWE-125

Дефекты

CWE-125