brotli2-rs icon indicating copy to clipboard operation
brotli2-rs copied to clipboard

Published 20 hours ago verified publisher icon bitemyapp

Packaged version of brotli is affected by CVE-2020-8927

Open insanitybit opened this issue 2 years ago • 2 comments

Brotli versions prior 1.0.8 are affected by CVE-2020-8927.

https://www.cvedetails.com/cve/CVE-2020-8927/

This is an integer overflow and I believe it is reachable from the rust bindings, but that's just based on a quick perusal of the source code.

I'm currently working on a PR to add an advisory to the rustsec adivsorydb as well.

https://github.com/rustsec/advisory-db/pull/1124

insanitybit avatar Dec 20 '21 21:12 insanitybit

A simple solution is to not vendor Brotli, but to link against a system-provided libbrotli instead, which can be kept up to date independently, and requires no code changes in the Rust code to update. For an example, see https://github.com/ruuda/brotli2-rs/commit/ec1c87ed98b25c30b24c97ebf376d067233acfe4.

ruuda avatar Oct 16 '22 21:10 ruuda