OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-13 21:18:11 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
82a18e0e26c01b9ae80fd2a228fb22e10fc0fdb8
advisory-db/crates/rand_core/RUSTSEC-2021-0023.md
Yechan Bae b724f12a5b Update CVE numbers (#777) 
* Update CVE numbers

* Fix RUSTSEC-2020-0093

* Add another alias for async-h1 crate
2021-02-25 20:00:25 -05:00

882 B
Raw Blame History 

[advisory]
id = "RUSTSEC-2021-0023"
package = "rand_core"
aliases = ["CVE-2021-27378"]
date = "2021-02-12"
url = "https://github.com/rust-random/rand/pull/1096"
categories = ["crypto-failure"]
keywords = []

# Optional: metadata which narrows the scope of what this advisory affects
[affected.functions]
"rand_core::le::read_u32_into" = ["< 0.6.2, >= 0.6.0"]
"rand_core::le::read_u64_into" = ["< 0.6.2, >= 0.6.0"]

[versions]
patched = [">= 0.6.2"]
unaffected = ["< 0.6.0"]

Incorrect check on buffer length when seeding RNGs

Summary: rand_core::le::read_u32_into and read_u64_into have incorrect checks on the source buffer length, allowing the destination buffer to be under-filled.

Implications: some downstream RNGs, including Hc128Rng (but not the more widely used ChaCha*Rng), allow seeding using the SeedableRng::from_seed trait-function with too short keys.