[Pkg-rust-maintainers] Bug#969896: rust-http: Integer Overflow in HeaderMap::reserve() can cause Denial of Service
Alexander Kjäll
alexander.kjall at gmail.com
Tue Sep 8 13:32:37 BST 2020
Source: rust-http
Version: 0.1.19-1
Severity: normal
Dear Maintainer,
Versions below 0.1.20 of rust-http have a denial of service vulnerability.
Description of the vulnerability:
HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficently large number in release mode.
If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS).
The flaw was corrected in 0.1.20 release of http crate.
Link to advisory: https://rustsec.org/advisories/RUSTSEC-2019-0033.html
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
More information about the Pkg-rust-maintainers
mailing list