Headline
GHSA-7vm6-qwh5-9x44: loona-hpack Panic Vulnerability
Summary
loona-hpack
suffers from the same vulnerability as the original hpack
as documented in https://github.com/mlalic/hpack-rs/issues/11
Details
The original includes a very nice description of the problem, as well as an easy-enough fix for it.
PoC
The original example pretty much still applies:
use loona_hpack::Decoder;
pub fn main() {
let input = &[0x3f];
let mut decoder = Decoder::new();
let _ = decoder.decode(input);
}
Impact
From the original:
All users who try to decode untrusted input using the Decoder are vulnerable to this exploit. A patched version of the crate is available on [crates.io](https://crates.io/crates/hpack-patched) under the name hpack-patched. See [Cargo's documentation on overriding dependencies](https://doc.rust-lang.org/cargo/reference/overriding-dependencies.html) for more information.
Summary
loona-hpack suffers from the same vulnerability as the original hpack as documented in mlalic/hpack-rs#11
Details
The original includes a very nice description of the problem, as well as an easy-enough fix for it.
PoC
The original example pretty much still applies:
use loona_hpack::Decoder;
pub fn main() { let input = &[0x3f]; let mut decoder = Decoder::new(); let _ = decoder.decode(input); }
Impact
From the original:
All users who try to decode untrusted input using the Decoder are vulnerable to this exploit. A patched version of the crate is available on crates.io under the name hpack-patched. See Cargo’s documentation on overriding dependencies for more information.
References
- GHSA-7vm6-qwh5-9x44
- mlalic/hpack-rs#11
- bearcove/loona@9a4028e
- GHSA-w7hm-hmxv-pvhf