RUSTSEC-2021-0131
on 2021-12-20: Integer overflow in the bundled Brotli C library
This review is from cargo-vet. To add your review, set up cargo-vet and submit your URL to its registry.
0.3.2 (current)
From kornelski/crev-proofs copy of git.savannah.gnu.org.
Packaged for Guix (crates-io)
cargo-vet does not verify reviewers' identity. You have to fully trust the source the audits are from.
- unknown
-
May have been packaged automatically without a review
Lib.rs has been able to verify that all files in the crate's tarball are in the crate's repository. Please note that this check is still in beta, and absence of this confirmation does not mean that the files don't match.
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories, so there is a possibility that published crates have a misleading repository URL, or contain different code from the code in the repository.
To review the actual code of the crate, it's best to use cargo crev open brotli-sys. Alternatively, you can download the tarball of brotli-sys v0.3.2 or view the source online.
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB.
An updated version of
brotli-syshas not been released. If one cannot update the C library, its authors recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.In Rust the issue can be mitigated by migrating to the
brotlicrate, which provides a Rust implementation of Brotli compression and decompression that is not affected by this issue.https://github.com/google/brotli/releases/tag/v1.0.9
CVE-2020-8927