Headline
GHSA-fq33-vmhv-48xh: ntru-rs has unsound FFI: Wrong API usage causes write past allocated area
The following usage causes undefined behavior.
let kp: ntru::types::KeyPair = …;
kp.get_public().export(Default::default())
When compiled with debug assertions, the code above will trigger a attempt to subtract with overflow panic before UB occurs.
Other mistakes (e.g. using EncParams from a different key) may always trigger UB.
Likely, older versions of this crate are also affected, but have not been tested.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-fq33-vmhv-48xh
ntru-rs has unsound FFI: Wrong API usage causes write past allocated area
Moderate severity GitHub Reviewed Published Apr 7, 2023 to the GitHub Advisory Database • Updated Apr 7, 2023
Package
cargo ntru (Rust)
Affected versions
>= 0.4.3, <= 0.5.6
Description
The following usage causes undefined behavior.
let kp: ntru::types::KeyPair = …; kp.get_public().export(Default::default())
When compiled with debug assertions, the code above will trigger a attempt to subtract with overflow panic before UB occurs.
Other mistakes (e.g. using EncParams from a different key) may always trigger UB.
Likely, older versions of this crate are also affected, but have not been tested.
References
- FrinkGlobal/ntru-rs#8
- https://rustsec.org/advisories/RUSTSEC-2023-0032.html
Published to the GitHub Advisory Database
Apr 7, 2023
GHSA ID
GHSA-fq33-vmhv-48xh
Source code