[Pkg-rust-maintainers] Bug#1029158: rust-bzip2: CVE-2023-22895
Moritz Mühlenhoff
jmm at inutil.org
Wed Jan 18 16:35:28 GMT 2023
Source: rust-bzip2
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for rust-bzip2.
CVE-2023-22895[0]:
| The bzip2 crate before 0.4.4 for Rust allow attackers to cause a
| denial of service via a large file that triggers an integer overflow
| in mem.rs. NOTE: this is unrelated to the
| https://crates.io/crates/bzip2-rs product.
https://github.com/alexcrichton/bzip2-rs/pull/86
https://github.com/alexcrichton/bzip2-rs/commit/90c9c182cd5a5ebc75810aebd89b347a7bdf590b (0.4.4)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-22895
https://www.cve.org/CVERecord?id=CVE-2023-22895
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-rust-maintainers
mailing list