RUSTSEC-2021-0073

Conversion from prost_types::Timestamp to SystemTime can cause an overflow and panic

Reported

July 8, 2021

Issued

July 8, 2021 (last modified: June 13, 2023)

Package

prost-types (crates.io)

Type

Vulnerability

Categories

denial-of-service

Keywords

#denial-of-service

Aliases

CVE-2021-38192
GHSA-x4qm-mcjq-v2gf

References

https://github.com/tokio-rs/prost/issues/438

Patched

>=0.8.0

Affected Functions

Version

prost_types::Timestamp::Into<SystemTime>

<=0.7.0

Description

Affected versions of this crate contained a bug in which untrusted input could cause an overflow and panic when converting a Timestamp to SystemTime.

It is recommended to upgrade to prost-types v0.8 and switch the usage of From<Timestamp> for SystemTime to TryFrom<Timestamp> for SystemTime.

See #438 for more information.

Advisory available under CC0-1.0 license.