Integer Overflow in Rust's Zip Library Can Lead to Buffer Overflow
CVE-2021-28879

9.8CRITICAL

Key Information:

Vendor: Rust-lang
Status: Rust
Vendor: CVE Published:; 11 April 2021

Summary

The Zip implementation within Rust's standard library, prior to version 1.52.0, contains a flaw that can manifest as an integer overflow when processing Zip file sizes. This can result in the library returning an erroneous size, which may ultimately lead to a buffer overflow vulnerability if a Zip iterator that has already been consumed is reused. Consequently, this issue poses significant security risks, making it essential for users to update to the patched version to mitigate potential exploits.

References

https://github.com/rust-lang/rust/issues/82282

https://github.com/rust-lang/rust/pull/82289

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 11, 2021
Vulnerability Reserved
Mar 19, 2021