Merge pull request #222 from dbrgn/prost-stackoverflow

Add advisory for prost stack overflow
rustsec · Jan 16, 2020 · 35c8298 · 35c8298
2 parents 4d05143 + 7a0d254
commit 35c8298
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/crates/prost/RUSTSEC-0000-0000.toml b/crates/prost/RUSTSEC-0000-0000.toml
@@ -0,0 +1,20 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "prost"
+date = "2020-01-16"
+title = "Parsing a specially crafted message can result in a stack overflow"
+description = """
+Affected versions of this crate contained a bug in which decoding untrusted
+input could overflow the stack.
+
+On architectures with stack probes (like x86), this can be used for denial of
+service attacks, while on architectures without stack probes (like ARM)
+overflowing the stack is unsound and can result in potential memory corruption
+(or even RCE).
+ 
+The flaw was quickly corrected by @danburkert and released in version 0.6.1.
+"""
+patched_versions = [">= 0.6.1"]
+url = "https://github.com/danburkert/prost/issues/267"
+categories = ["denial-of-service", "memory-corruption"]
+keywords = ["stack overflow"]