OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-02 01:26:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2020-8927 for compu-brotli-sys (#1129)

Browse Source
This commit is contained in:
Sergey "Shnatsel" Davidoff
2021-12-21 23:26:29 +01:00
committed by GitHub
parent 32b107c4c6
commit dc5ced1155
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
crates/compu-brotli-sys/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,20 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "compu-brotli-sys"
date = "2021-12-20"
url = "https://github.com/google/brotli/releases/tag/v1.0.9"
categories = ["memory-corruption"]
keywords = ["integer-overflow"]
aliases = ["CVE-2020-8927"]
[affected]
[versions]
patched = [">= 1.0.9"]
```
# Integer overflow in the bundled Brotli C library
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB.
If one cannot update the C library, its authors recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.