CVE-2017-1000430: Integer overflow in base64

August 25, 2021

Affected versions of this crate suffered from an integer overflow bug when calculating the size of a buffer to use when encoding base64 using the encode_config_buf and encode_config functions. If the input string was large, this would cause a buffer to be allocated that was too small. Since this function writes to the buffer using unsafe code, it would allow an attacker to write beyond the buffer, causing memory corruption and possibly the execution of arbitrary code.

This flaw was corrected by using checked arithmetic to calculate the size of the buffer.

References

github.com/advisories/GHSA-x67x-vg9m-65c3
github.com/alicemaz/rust-base64
github.com/alicemaz/rust-base64/commit/24ead980daf11ba563e4fb2516187a56a71ad319
nvd.nist.gov/vuln/detail/CVE-2017-1000430
rustsec.org/advisories/RUSTSEC-2017-0004.html

Detect and mitigate CVE-2017-1000430 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →