Skip to content

ntru-rs has unsound FFI: Wrong API usage causes write past allocated area

Moderate severity GitHub Reviewed Published Apr 7, 2023 to the GitHub Advisory Database • Updated Apr 7, 2023

Package

cargo ntru (Rust)

Affected versions

>= 0.4.3, <= 0.5.6

Patched versions

None

Description

The following usage causes undefined behavior.

let kp: ntru::types::KeyPair = …;
kp.get_public().export(Default::default())

When compiled with debug assertions, the code above will trigger a attempt to subtract with overflow panic before UB occurs.
Other mistakes (e.g. using EncParams from a different key) may always trigger UB.

Likely, older versions of this crate are also affected, but have not been tested.

References

Published to the GitHub Advisory Database Apr 7, 2023
Reviewed Apr 7, 2023
Last updated Apr 7, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-fq33-vmhv-48xh

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.