GHSA-fq33-vmhv-48xh

Suggest an improvement
Source
https://github.com/advisories/GHSA-fq33-vmhv-48xh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-fq33-vmhv-48xh/GHSA-fq33-vmhv-48xh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fq33-vmhv-48xh
Aliases
Published
2023-04-07T19:23:49Z
Modified
2023-11-08T04:19:06.327800Z
Summary
ntru-rs has unsound FFI: Wrong API usage causes write past allocated area
Details

The following usage causes undefined behavior.

let kp: ntru::types::KeyPair = …;
kp.get_public().export(Default::default())

When compiled with debug assertions, the code above will trigger a attempt to subtract with overflow panic before UB occurs. Other mistakes (e.g. using EncParams from a different key) may always trigger UB.

Likely, older versions of this crate are also affected, but have not been tested.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-07T19:23:49Z"
}
References

Affected packages

crates.io / ntru

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.4.3
Last affected
0.5.6