From c5b92d8ee750868f2cf0262a6295e3165955eb0f Mon Sep 17 00:00:00 2001 From: Paolo Barbolini Date: Wed, 27 Nov 2024 21:44:48 +0100 Subject: [PATCH 1/3] Add ruzstd uninit/out-of-bounds reads advisory --- crates/ruzstd/RUSTSEC-0000-0000.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 crates/ruzstd/RUSTSEC-0000-0000.md diff --git a/crates/ruzstd/RUSTSEC-0000-0000.md b/crates/ruzstd/RUSTSEC-0000-0000.md new file mode 100644 index 0000000000..22e49920ff --- /dev/null +++ b/crates/ruzstd/RUSTSEC-0000-0000.md @@ -0,0 +1,19 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "ruzstd" +date = "2024-11-28" +url = "https://github.com/KillingSpark/zstd-rs/issues/75" +categories = ["memory-exposure"] +references = ["https://github.com/KillingSpark/zstd-rs/pull/76"] + +[versions] +patched = [">= 0.7.3"] +unaffected = ["< 0.7.0"] +``` + +# `ruzstd` uninit and out-of-bounds memory reads + +Affected versions of `ruzstd` miscalculate the length of the allocated +and init section of its internal `RingBuffer`, leading to uninitialized +or out-of-bounds reads in `copy_bytes_overshooting` of up to 15 bytes. From 04552f4e2d0b74024cae1b9aa5b2da730c06b2a3 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Thu, 28 Nov 2024 18:34:35 +0000 Subject: [PATCH 2/3] Update description with impact analysis from the maintainer --- crates/ruzstd/RUSTSEC-0000-0000.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/crates/ruzstd/RUSTSEC-0000-0000.md b/crates/ruzstd/RUSTSEC-0000-0000.md index 22e49920ff..511cad9986 100644 --- a/crates/ruzstd/RUSTSEC-0000-0000.md +++ b/crates/ruzstd/RUSTSEC-0000-0000.md @@ -17,3 +17,7 @@ unaffected = ["< 0.7.0"] Affected versions of `ruzstd` miscalculate the length of the allocated and init section of its internal `RingBuffer`, leading to uninitialized or out-of-bounds reads in `copy_bytes_overshooting` of up to 15 bytes. + +This may result in up to 15 bytes of memory contents being written +into the decoded data when ecompressing a crafted archive. +This may occur multiple times per archive. From 9979aea0133330a2a50594227fea7940c3182efe Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Thu, 28 Nov 2024 18:39:58 +0000 Subject: [PATCH 3/3] fix typo Co-authored-by: Paolo Barbolini --- crates/ruzstd/RUSTSEC-0000-0000.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/ruzstd/RUSTSEC-0000-0000.md b/crates/ruzstd/RUSTSEC-0000-0000.md index 511cad9986..1b5dac4611 100644 --- a/crates/ruzstd/RUSTSEC-0000-0000.md +++ b/crates/ruzstd/RUSTSEC-0000-0000.md @@ -19,5 +19,5 @@ and init section of its internal `RingBuffer`, leading to uninitialized or out-of-bounds reads in `copy_bytes_overshooting` of up to 15 bytes. This may result in up to 15 bytes of memory contents being written -into the decoded data when ecompressing a crafted archive. +into the decoded data when decompressing a crafted archive. This may occur multiple times per archive.