GHSA-g9f8-wqj9-fjw5: russh, russh-cryptovec

[kpcyrd]

Affected crate(s)

• russh
• russh-cryptovec

Links to upstream issue(s) or PR(s)

• GHSA-g9f8-wqj9-fjw5
• Eugeny/russh@a2d48a7

Severity

denial-of-service through unchecked allocations

Checklist

• Advisory filename(s) starts with RUSTSEC-0000-0000 as the ID
• date field is set to the public disclosure date
• Contains a concise and descriptive title after advisory metadata
• Asked maintainer(s) if publishing an advisory is appropriate

Fixes #2892

[djc]

It looks like this should be a single advisory for just the cryptovec crate? Presumably all russh users will depend on that anyway.

[kpcyrd]

This part is in the russh crate:

        if len > MAX_AGENT_FRAME_LEN {
            return Err(Error::AgentProtocolError);
        }

Without it, users may allocate up to u32::MAX/4GB.

I don't have strong opinions on this though, making it a single advisory for russh-cryptovec is also fine with me.

[djc]

Okay, in that case it might be better to have two, but I'd prefer to not have the same advisory text for both but clearly articulate the particulars for each crate.