CVE-2023-22895

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-22895

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22895.json

Aliases

GHSA-96jv-r488-c2rj
RUSTSEC-2023-0004

Published

2023-01-10T01:15:10Z

Modified

2023-11-29T10:01:15.781579Z

Details

The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.

References

https://github.com/alexcrichton/bzip2-rs/pull/86
https://crates.io/crates/bzip2/versions
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MI5SVRSGKBWB2JGDLDVIFY5ZQVDZP6I7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQK57GGXJX3AH7KF6S7S3N7JC5QOYUQ7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UUK2JO25PPA6XBREKJRBLRCD22LKIOLO/

Affected packages

Git / github.com/alexcrichton/bzip2-rs

Affected ranges

Type: GIT
Repo: https://github.com/alexcrichton/bzip2-rs
Events: Introduced

0The exact introduced commit is unknown

Fixed

3032f3790742bffda521e54d14429f459e078eba

Affected versions

0.*

0.3.1

0.3.2

0.3.3

0.4.1

0.4.2

bzip2-sys-0.*

bzip2-sys-0.1.10+1.0.8

bzip2-sys-0.1.5

bzip2-sys-0.1.6

bzip2-sys-0.1.7

bzip2-sys-0.1.8

bzip2-sys-0.1.9