RUSTSEC-2021-0131

Source

https://rustsec.org/advisories/RUSTSEC-2021-0131

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0131.json

Aliases

• BIT-brotli-2020-8927
• BIT-dotnet-2020-8927
• BIT-dotnet-sdk-2020-8927
• CVE-2020-8927
• GHSA-5v8v-66v8-mwm7
• PYSEC-2020-29
• RUSTSEC-2021-0132

Published

2021-12-20T12:00:00Z

Modified

2023-12-06T01:00:42.246508Z

Details

A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB.

An updated version of brotli-sys has not been released. If one cannot update the C library, its authors recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.

In Rust the issue can be mitigated by migrating to the brotli crate, which provides a Rust implementation of Brotli compression and decompression that is not affected by this issue.

References

• https://crates.io/crates/brotli-sys
• https://rustsec.org/advisories/RUSTSEC-2021-0131.html
• https://github.com/bitemyapp/brotli2-rs/issues/45
• https://github.com/google/brotli/releases/tag/v1.0.9