diff --git a/crates/trust-dns-proto/RUSTSEC-0000-0000.toml b/crates/trust-dns-proto/RUSTSEC-0000-0000.toml deleted file mode 100644 index 0be3107..0000000 --- a/crates/trust-dns-proto/RUSTSEC-0000-0000.toml +++ /dev/null @@ -1,60 +0,0 @@ -[advisory] -# Identifier for the advisory (mandatory). Will be assigned a "RUSTSEC-YYYY-NNNN" -# identifier e.g. RUSTSEC-2018-0001. Please use "RUSTSEC-0000-0000" in PRs. -id = "RUSTSEC-0000-0000" - -# Name of the affected crate (mandatory) -package = "trust-dns-proto" - -# Disclosure date of the advisory as an RFC 3339 date (mandatory) -date = "2017-10-09" - -# Single-line description of a vulnerability (mandatory) -title = "Stack overflow when parsing malicious DNS packet" - -# Enter a short-form description of the vulnerability here (mandatory) -description = """ -There's a stack overflow leading to a crash when Trust-DNS's parses a -malicious DNS packet. - -Affected versions of this crate did not properly handle parsing of DNS message -compression (RFC1035 section 4.1.4). The parser could be tricked into infinite -loop when a compression offset pointed back to the same domain name to be -parsed. - -This allows an attacker to craft a malicious DNS packet which when consumed -with Trust-DNS could cause stack overflow and crash the affected software. - -The flaw was corrected by trust-dns-proto 0.4.3 and upcoming 0.5.0 release. -""" - -# Versions which include fixes for this vulnerability (mandatory) -patched_versions = [">= 0.4.3", ">= 0.5.0-alpha.3" ] - -# Versions which were never vulnerable (optional) -#unaffected_versions = ["< 1.1.0"] - -# URL to a long-form description of this issue, e.g. a GitHub issue/PR, -# a change log entry, or a blogpost announcing the release (optional) -# url = "" - -# Keywords which describe this vulnerability, similar to Cargo (optional) -keywords = [ "stack-overflow", "crash" ] - -# Vulnerability aliases, e.g. CVE IDs (optional but recommended) -# Request a CVE for your RustSec vulns: https://iwantacve.org/ -#aliases = ["CVE-2018-XXXX"] - -# References to related vulnerabilities (optional) -# e.g. CVE for a C library wrapped by a -sys crate) -#references = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"] - -# CPU architectures impacted by this vulnerability (optional) -# For a list of CPU architecture strings, see the "platforms" crate: -# -#affected_arch = ["x86", "x86_64"] - -# Operating systems impacted by this vulnerability (optional) -# For a list of OS strings, see the "platforms" crate: -# -#affected_os = ["windows"] diff --git a/crates/trust-dns-proto/RUSTSEC-2018-0007.toml b/crates/trust-dns-proto/RUSTSEC-2018-0007.toml new file mode 100644 index 0000000..b7578eb --- /dev/null +++ b/crates/trust-dns-proto/RUSTSEC-2018-0007.toml @@ -0,0 +1,21 @@ +[advisory] +id = "RUSTSEC-2018-0007" +package = "trust-dns-proto" +date = "2017-10-09" +title = "Stack overflow when parsing malicious DNS packet" +description = """ +There's a stack overflow leading to a crash when Trust-DNS's parses a +malicious DNS packet. + +Affected versions of this crate did not properly handle parsing of DNS message +compression (RFC1035 section 4.1.4). The parser could be tricked into infinite +loop when a compression offset pointed back to the same domain name to be +parsed. + +This allows an attacker to craft a malicious DNS packet which when consumed +with Trust-DNS could cause stack overflow and crash the affected software. + +The flaw was corrected by trust-dns-proto 0.4.3 and upcoming 0.5.0 release. +""" +patched_versions = [">= 0.4.3", ">= 0.5.0-alpha.3" ] +keywords = [ "stack-overflow", "crash" ]