GHSA-fq33-vmhv-48xh: ntru-rs has unsound FFI: Wrong API usage causes write past allocated area

April 7, 2023

The following usage causes undefined behavior.

let kp: ntru::types::KeyPair = …;
kp.get_public().export(Default::default())

When compiled with debug assertions, the code above will trigger a attempt to subtract with overflow panic before UB occurs. Other mistakes (e.g. using EncParams from a different key) may always trigger UB.

Likely, older versions of this crate are also affected, but have not been tested.

References

github.com/FrinkGlobal/ntru-rs
github.com/FrinkGlobal/ntru-rs/issues/8
github.com/advisories/GHSA-fq33-vmhv-48xh
rustsec.org/advisories/RUSTSEC-2023-0032.html

Detect and mitigate GHSA-fq33-vmhv-48xh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →