From e90491ebc6be3f79ad662c22db7a34723259384b Mon Sep 17 00:00:00 2001
From: aspen <aspenuwu@protonmail.com>
Date: Wed, 9 Dec 2020 10:32:30 -0500
Subject: [PATCH] Add nanorand 0.5.0 RNG weakness (#525)

---
 crates/nanorand/RUSTSEC-0000-0000.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 crates/nanorand/RUSTSEC-0000-0000.md

diff --git a/crates/nanorand/RUSTSEC-0000-0000.md b/crates/nanorand/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..bc0b4f3
--- /dev/null
+++ b/crates/nanorand/RUSTSEC-0000-0000.md
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "nanorand"
+date = "2020-12-09"
+url = "https://twitter.com/aspenluxxxy/status/1336684692284772352"
+categories = ["crypto-failure"]
+cvss = "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+keywords = ["rng"]
+
+[versions]
+patched = [">= 0.5.1"]
+```
+
+# nanorand 0.5.0 - RNGs failed to generate properly for non-64-bit numbers
+
+In versions of `nanorand` prior to 0.5.1, `RandomGen` implementations for standard unsigned integers could
+fail to properly generate numbers, due to using bit-shifting to truncate a 64-bit number, rather than just
+an `as` conversion.
+
+This often manifested as RNGs returning nothing but 0, including the cryptographically secure `ChaCha` random
+number generator..