RUSTSEC-2019-0025

Flaw in CBOR deserializer allows stack overflow

Issued
Package
serde_cbor (crates.io)
Type
Vulnerability
Categories
  • crypto-failure
Aliases
Details
https://github.com/pyfisch/cbor/releases/tag/v0.10.2
Patched
  • >=0.10.2
Keywords
  • stack-overflow
  • crash
  • denial-of-service

Description

Affected versions of this crate did not properly check if semantic tags were nested excessively during deserialization.

This allows an attacker to craft small (< 1 kB) CBOR documents that cause a stack overflow.

The flaw was corrected by limiting the allowed number of nested tags.

More