Skip to content

Non-aligned u32 read in Chacha20 encryption and decryption

High severity GitHub Reviewed Published Jun 16, 2022 to the GitHub Advisory Database • Updated Jun 13, 2023

Package

cargo crypto2 (Rust)

Affected versions

<= 0.1.2

Patched versions

None

Description

The implementation does not enforce alignment requirements on input slices while incorrectly assuming 4-byte alignment through an unsafe call to std::slice::from_raw_parts_mut, which breaks the contract and introduces undefined behavior.

This affects Chacha20 encryption and decryption in crypto2.

References

Published to the GitHub Advisory Database Jun 16, 2022
Reviewed Jun 16, 2022
Last updated Jun 13, 2023

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-pmcv-mgcf-rvxg

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.