RUSTSEC-2021-0131 on 2021-12-20: Integer overflow in the bundled Brotli C library

A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB.

An updated version of brotli-sys has not been released. If one cannot update the C library, its authors recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.

In Rust the issue can be mitigated by migrating to the brotli crate, which provides a Rust implementation of Brotli compression and decompression that is not affected by this issue.

https://github.com/google/brotli/releases/tag/v1.0.9

CVE-2020-8927

This review is from cargo-vet. To add your review, set up cargo-vet and submit your URL to its registry.

cargo-vet does not verify reviewers' identity. You have to fully trust the source the audits are from.

unknown

May have been packaged automatically without a review


Lib.rs has been able to verify that all files in the crate's tarball are in the crate's repository. Please note that this check is still in beta, and absence of this confirmation does not mean that the files don't match.

Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories, so there is a possibility that published crates have a misleading repository URL, or contain different code from the code in the repository.

To review the actual code of the crate, it's best to use cargo crev open brotli-sys. Alternatively, you can download the tarball of brotli-sys v0.3.2 or view the source online.