Add sha2 v0.9.7 AVX2 bug (#1012)

2026-01-06 03:29:45 +01:00 · 2021-09-09 10:14:52 -06:00
parent 138fb15795
commit 4744ee629e
1 changed files with 26 additions and 0 deletions
--- a/crates/sha2/RUSTSEC-0000-0000.md
+++ b/crates/sha2/RUSTSEC-0000-0000.md
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "sha2"
+date = "2021-09-08"
+categories = ["crypto-failure"]
+keywords = ["cryptography"]
+url = "https://github.com/RustCrypto/hashes/pull/314"
+
+[versions]
+patched = [">= 0.9.8"]
+unaffected = ["< 0.9.7"]
+```
+
+# Miscomputed results when using AVX2 backend
+
+The v0.9.7 release of the `sha2` crate introduced a new AVX2-accelerated
+backend which was automatically enabled for all x86/x86_64 CPUs where AVX2
+support was autodetected at runtime.
+
+This backend was buggy and would miscompute results for long messages
+(i.e. messages spanning multiple SHA blocks).
+
+The crate has since been yanked, but any users who upgraded to v0.9.7 should
+immediately upgrade to v0.9.8 and recompute any hashes which were previously
+computed by v0.9.7.