Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

parse_duration: parse DoS through payloads with big exponent #827

Merged
merged 4 commits into from
Mar 25, 2021
Merged

parse_duration: parse DoS through payloads with big exponent #827

merged 4 commits into from
Mar 25, 2021

Conversation

disconnect3d
Copy link
Contributor

No description provided.

@tarcieri
Copy link
Member

It looks like the directory the advisory is inside of doesn't match the package name, i.e.:

crates/parse_duration should be crates/parse-duration

@disconnect3d disconnect3d changed the title parse_duration: parse denial of service through payloads with big exponent parse-duration: parse DoS through payloads with big exponent Mar 18, 2021
@disconnect3d
Copy link
Contributor Author

It looks like the directory the advisory is inside of doesn't match the package name, i.e.:

crates/parse_duration should be crates/parse-duration

Fixed!

@tarcieri
Copy link
Member

Oh whoops, my bad, it looks like the name on crates.io has an underscore: https://crates.io/crates/parse_duration

So: crates/parse-duration should be crates/parse_duration

Sorry about that

@disconnect3d disconnect3d changed the title parse-duration: parse DoS through payloads with big exponent parse_duration: parse DoS through payloads with big exponent Mar 18, 2021
@disconnect3d
Copy link
Contributor Author

Haha; fixed! :)

@disconnect3d
Copy link
Contributor Author

Oh whoops, my bad, it looks like the name on crates.io has an underscore: https://crates.io/crates/parse_duration

So: crates/parse-duration should be crates/parse_duration

Sorry about that

Hmm the linter says it should be parse-duration 🤐

@disconnect3d @tarcieri
Update crates/parse_duration/RUSTSEC-0000-0000.md
743177e 
Co-authored-by: Tony Arcieri <bascule@gmail.com>
@tarcieri
Copy link
Member

Advisory looks well-formatted now.

I suppose the question remains of whether this fits our DoS policy or not.

If I understand correctly this is an algorithmic DoS as opposed to a simple panic, in a crate which appears designed to act on untrusted data, so I'd vote yes.

@alex @Shnatsel any thoughts?

@Shnatsel
Copy link
Member

If the crate developers want to report this, I don't see why not include this advisory.

@disconnect3d
Copy link
Contributor Author

If the crate developers want to report this, I don't see why not include this advisory.

Just to be clear: I am not the parse_duration crate developer. I found this issue independently while someone else also reported it a year ago. There was no response from the maintainer or fix since then. Anyway, I think making people aware of this issue by adding it to RustSec (and so e.g. cargo audit) may benefit projects who use or would use this crate.

@tarcieri tarcieri mentioned this pull request Mar 24, 2021
Open
@tarcieri tarcieri merged commit 3864def into rustsec:main Mar 25, 2021
@yukinarit yukinarit mentioned this pull request Feb 28, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tarcieri tarcieri tarcieri left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@disconnect3d @tarcieri @Shnatsel