Headline
GHSA-mjw4-jj88-v687: panic on parsing crafted phonenumber inputs
Impact
The phonenumber parsing code may panic due to a reachable assert! guard on the phonenumber string.
In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form +dwPAA;phone-context=AA, where the “number” part potentially parses as a number larger than 2^56.
Since f69abee1/0.3.4/#52.
0.2.x series is not affected.
Patches
Upgrade to 0.3.6 or higher.
Workarounds
n/a
References
Whereas https://github.com/whisperfish/rust-phonenumber/issues/69 did not provide an example code path, property testing found a few: +dwPAA;phone-context=AA.
Package
cargo phonenumber (Rust)
Affected versions
>= 0.3.4, < 0.3.6
Patched versions
0.3.6
Description
Impact
The phonenumber parsing code may panic due to a reachable assert! guard on the phonenumber string.
In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form +dwPAA;phone-context=AA, where the “number” part potentially parses as a number larger than 2^56.
Since f69abee1/0.3.4/#52.
0.2.x series is not affected.
Patches
Upgrade to 0.3.6 or higher.
Workarounds
n/a
References
Whereas whisperfish/rust-phonenumber#69 did not provide an example code path, property testing found a few: +dwPAA;phone-context=AA.
References
- GHSA-mjw4-jj88-v687
- whisperfish/rust-phonenumber#69
- whisperfish/rust-phonenumber#52
- whisperfish/rust-phonenumber@b792151
- whisperfish/rust-phonenumber@f69abee
- https://nvd.nist.gov/vuln/detail/CVE-2024-39697
rubdos published to whisperfish/rust-phonenumber
Jul 9, 2024
Published to the GitHub Advisory Database
Jul 9, 2024
Reviewed
Jul 9, 2024
Published by the National Vulnerability Database
Jul 9, 2024
Last updated
Jul 9, 2024