GHSA-pmcv-mgcf-rvxg: Non-aligned u32 read in Chacha20 encryption and decryption

June 16, 2022

The implementation does not enforce alignment requirements on input slices while incorrectly assuming 4-byte alignment through an unsafe call to std::slice::from_raw_parts_mut, which breaks the contract and introduces undefined behavior.

This affects Chacha20 encryption and decryption in crypto2.

References

github.com/advisories/GHSA-pmcv-mgcf-rvxg
github.com/shadowsocks/crypto2
github.com/shadowsocks/crypto2/issues/27
rustsec.org/advisories/RUSTSEC-2021-0121.html

Detect and mitigate GHSA-pmcv-mgcf-rvxg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →