HistoryEditJSON (OSV)

RUSTSEC-2021-0121

Non-aligned u32 read in Chacha20 encryption and decryption

Reported
Issued
Package
crypto2 (crates.io)
Type
INFO Unsound
Keywords
#crypto #alignment #unsound
Aliases
References
Patched
no patched versions
Affected Functions
Version
crypto2::streamcipher::Chacha20::decrypt_slice
  • *
crypto2::streamcipher::Chacha20::encrypt_slice
  • *
crypto2::streamcipher::xor_si512_inplace
  • *

Description

The implementation does not enforce alignment requirements on input slices while incorrectly assuming 4-byte alignment through an unsafe call to std::slice::from_raw_parts_mut, which breaks the contract and introduces undefined behavior.

This affects Chacha20 encryption and decryption in crypto2.

Advisory available under CC0-1.0 license.