Packaged version of brotli is affected by CVE-2020-8927 #45
Comments
This was referenced Dec 21, 2021
This was referenced Dec 22, 2021
Closed
Open
Open
Open
Open
Open
Open
Open
This was referenced Dec 22, 2021
RUSTSEC-2021-0131: Integer overflow in the bundled Brotli C library
pineapplehunter/tuat-feed-api#12
Open
This was referenced Dec 30, 2021
Open
Open
This was referenced Jan 7, 2022
Closed
This was referenced Jan 16, 2022
|
A simple solution is to not vendor Brotli, but to link against a system-provided libbrotli instead, which can be kept up to date independently, and requires no code changes in the Rust code to update. For an example, see ruuda@ec1c87e. |
|
JFYI |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Brotli versions prior 1.0.8 are affected by CVE-2020-8927.
https://www.cvedetails.com/cve/CVE-2020-8927/
This is an integer overflow and I believe it is reachable from the rust bindings, but that's just based on a quick perusal of the source code.
I'm currently working on a PR to add an advisory to the rustsec adivsorydb as well.
rustsec/advisory-db#1124
The text was updated successfully, but these errors were encountered: