OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-09 05:01:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add bzip2 DoS (#1554)

Browse Source 
* Add bzip2

* Minor fix

* Add category
This commit is contained in:
pinkforest(she/her)
2023-02-02 22:47:16 +11:00
committed by GitHub
parent e9f2cb51e9
commit e316490842
1 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
crates/bzip2/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,27 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "bzip2"
aliases = ["CVE-2023-22895", "GHSA-96jv-r488-c2rj"]
date = "2023-09-01"
url = "https://github.com/alexcrichton/bzip2-rs/pull/86"
categories = ["denial-of-service"]
[versions]
patched = [">= 0.4.4"]
```
# bzip2 Denial of Service (DoS)
Working with specific payloads can cause a Denial of Service (DoS) vector.
Both `Decompress` and `Compress` implementations can enter into infinite loops
given specific payloads entered that trigger it.
The issue is described in great detail in the [bzip2 repository issue](https://github.com/alexcrichton/bzip2-rs/pull/86).
Thanks to bjrjk for finding and providing the patch for the issue and the
maintainer responsibly responding to release a fix quickly.
Users who use the crate with untrusted data should update the `bzip2` to 0.4.4.