GHSA-w7hm-hmxv-pvhf

Source

https://github.com/advisories/GHSA-w7hm-hmxv-pvhf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-w7hm-hmxv-pvhf/GHSA-w7hm-hmxv-pvhf.json

Aliases

• RUSTSEC-2023-0085

Published

2024-04-05T15:06:27Z

Modified

2024-04-11T16:41:43.815805Z

Details

Due to insufficient checking of input data, decoding certain data sequences can lead to Decoder::decode panicking rather than returning an error.

Example code that triggers this vulnerability looks like this:

use hpack::Decoder;

pub fn main() {
  let input = &[0x3f];
  let mut decoder = Decoder::new();
  let _ = decoder.decode(input);
}

hpack is unmaintained. A crate with the panics fixed has been published as hpack-patched.

Also consider using fluke-hpack or httlib-huffman as an alternative.

References

• https://github.com/mlalic/hpack-rs/issues/11
• https://github.com/sno2/hpack-rs-patched/commit/d669282924a95311599e9e7dd53869ee96b3a2f5
• https://github.com/mlalic/hpack-rs
• https://rustsec.org/advisories/RUSTSEC-2023-0085.html