HistoryEditJSON (OSV)

RUSTSEC-2023-0032

Unsound FFI: Wrong API usage causes write past allocated area

Reported
Issued
Package
ntru (crates.io)
Type
INFO Unsound
Categories
Keywords
#ffi #buffer-overflow
Aliases
References
Patched
no patched versions
Affected Functions
Version
ntru::types::PrivateKey::export
  • >=0.4.3
ntru::types::PublicKey::export
  • >=0.4.3

Description

The following usage causes undefined behavior.

let kp: ntru::types::KeyPair = …;
kp.get_public().export(Default::default())

When compiled with debug assertions, the code above will trigger a attempt to subtract with overflow panic before UB occurs. Other mistakes (e.g. using EncParams from a different key) may always trigger UB.

Likely, older versions of this crate are also affected, but have not been tested.

Advisory available under CC0-1.0 license.