mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00

Files

github-actions[bot] c9858c0fc6 Synchronize IDs (2024-04-11) (#1936 )

Co-authored-by: amousset <329388+amousset@users.noreply.github.com>

2024-04-11 17:16:20 +01:00

1023 B

Raw Permalink Blame History

[advisory]
id = "RUSTSEC-2023-0085"
package = "hpack"
date = "2023-09-15"
url = "https://github.com/mlalic/hpack-rs/issues/11"
categories = ["denial-of-service"]
references = ["https://github.com/sno2/hpack-rs-patched/commit/d669282924a95311599e9e7dd53869ee96b3a2f5"]
aliases = ["GHSA-w7hm-hmxv-pvhf"]

[versions]
patched = []

HPACK decoder panics on invalid input

Due to insufficient checking of input data, decoding certain data sequences can lead to Decoder::decode panicking rather than returning an error.

Example code that triggers this vulnerability looks like this:

use hpack::Decoder;

pub fn main() {
  let input = &[0x3f];
  let mut decoder = Decoder::new();
  let _ = decoder.decode(input);
}

hpack is unmaintained. A crate with the panics fixed has been published as hpack-patched.

Also consider using fluke-hpack or httlib-huffman as an alternative.

1023 B Raw Permalink Blame History

HPACK decoder panics on invalid input

1023 B

Raw Permalink Blame History