CVE-2021-45709: Use of a Broken or Risky Cryptographic Algorithm in crypto2

January 6, 2022 (updated June 13, 2023)

The implementation does not enforce alignment requirements on input slices while incorrectly assuming 4-byte alignment through an unsafe call to std::slice::from_raw_parts_mut, which breaks the contract and introduces undefined behavior.

This affects Chacha20 encryption and decryption in crypto2.

References

github.com/advisories/GHSA-9hfg-pxr6-q4vp
github.com/shadowsocks/crypto2
github.com/shadowsocks/crypto2/issues/27
nvd.nist.gov/vuln/detail/CVE-2021-45709
raw.githubusercontent.com/rustsec/advisory-db/main/crates/crypto2/RUSTSEC-2021-0121.md
rustsec.org/advisories/RUSTSEC-2021-0121.html

Detect and mitigate CVE-2021-45709 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →