From 20107217b7796532a248182efc8afa1622784b2c Mon Sep 17 00:00:00 2001
From: Morgan Hill <a@morganrhill.com>
Date: Thu, 21 Dec 2023 19:44:13 +0100
Subject: [PATCH] Create advisory for DoS in Rosenpass <=0.2.0 (#1823)

---
 crates/rosenpass/RUSTSEC-0000-0000.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 crates/rosenpass/RUSTSEC-0000-0000.md

diff --git a/crates/rosenpass/RUSTSEC-0000-0000.md b/crates/rosenpass/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..ee6c382
--- /dev/null
+++ b/crates/rosenpass/RUSTSEC-0000-0000.md
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "rosenpass"
+date = "2023-11-04"
+references = ["https://github.com/rosenpass/rosenpass/commit/93439858d1c44294a7b377f775c4fc897a370bb2"]
+categories = ["denial-of-service"]
+keywords = ["remote", "single-byte"]
+license = "CC0-1.0"
+
+[versions]
+patched = [">= 0.2.1"]
+```
+
+# Remotely exploitable DoS condition in Rosenpass <=0.2.0
+
+Affected version do this crate did not validate the size of buffers when attempting to decode messages.
+
+This allows an attacker to trigger a panic by sending a UDP datagram with a 1 byte payload over network.
+
+This flaw was corrected by validating the size of the buffers before attempting to decode the message.