[security] Fix a panic from an unchecked string slice. #28
Reference in New Issue
Block a user
Delete Branch "fix_string_slice"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
When slicing a string, you get a panic if you do so at any point
other than at a character boundary. This happened in the
implementation of UTCTime parsing.
This bug was introduced in
bc156c36d7,and appears to affect only version 0.6.0.
I've tried using the clippy::string_slice lint to confirm that there
are not any other string slices in this code.
Fixes bug #27. Found via fuzzing.
I fuzzed this branch for a couple more hours, but no further problems turned up.
By the way, please let me know if you'd like me to open a RUSTSEC advisory for this, or if you'd rather do it yourself?
Hey, you found it, I think you should get the credit for the advisory :)
I'll put another comment in here with the new version number (which will almost certainly be 0.6.1, but ...).
Published upstream as 0.6.1!
Hello, RustSec maintainer here. Thanks for acting on the issue so quickly!
I'd like to confirm with @acw that you want to treat panics in this crate as security issues. It's reasonable for a format decoder that handles untrusted data to treat panics as a security issue; but we don't want to have an inconsistent coverage where some panics in the crate are tracked but others are not.
After some thinking: yes, I think that makes sense. Especially for something like ASN.1, being able to crash a process remotely could be a significant safety or security concern.
I'm merging the advisory then. Thanks again!