mirror of
https://github.com/OMGeeky/advisory-db.git
synced 2026-02-13 21:18:11 +01:00
64c17acfe3
As announced in #228, this commit migrates all advisories to the new V2 format, which splits version information into a separate section, and now has a structure which corresponds to the internal code structure of the `rustsec` crate. This is a breaking change for users of `cargo-audit` < 0.9, and anyone who has written a 3rd party advisory format parser.
27 lines
908 B
TOML
27 lines
908 B
TOML
[advisory]
|
|
id = "RUSTSEC-2019-0033"
|
|
package = "http"
|
|
date = "2019-11-16"
|
|
title = "Integer Overflow in HeaderMap::reserve() can cause Denial of Service"
|
|
url = "https://github.com/hyperium/http/issues/352"
|
|
categories = ["denial-of-service"]
|
|
keywords = ["http", "integer-overflow", "DoS"]
|
|
description = """
|
|
`HeaderMap::reserve()` used `usize::next_power_of_two()` to calculate the increased capacity.
|
|
However, `next_power_of_two()` silently overflows to 0 if given a sufficently large number
|
|
in release mode.
|
|
|
|
If the map was not empty when the overflow happens,
|
|
the library will invoke `self.grow(0)` and start infinite probing.
|
|
This allows an attacker who controls the argument to `reserve()`
|
|
to cause a potential denial of service (DoS).
|
|
|
|
The flaw was corrected in 0.1.20 release of `http` crate.
|
|
"""
|
|
|
|
[affected.functions]
|
|
"http::header::HeaderMap::reserve" = ["< 0.1.20"]
|
|
|
|
[versions]
|
|
patched = [">= 0.1.20"]
|