Two scenarios were reported where BigInt
and BigUint
multiplication may unexpectedly panic.
mac3
function did not expect the possibility of non-empty all-zero inputs, leading to an unwrap()
panic.Rust panics can either cause stack unwinding or program abort, depending on the application configuration. In some settings, an unexpected panic may constitute a denial-of-service vulnerability.
Both problems were introduced in version 0.4.1, and are fixed in version 0.4.3.
If you have any questions or comments about this advisory, please open an issue in the num-bigint repo.
Thanks to Guido Vranken and Arvid Norberg for privately reporting these issues to the author.
{ "nvd_published_at": null, "cwe_ids": [ "CWE-131", "CWE-20" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-11-03T15:02:32Z" }