GHSA-v935-pqmr-g8v9: Unexpected panics in num-bigint

November 3, 2021

Two scenarios were reported where BigInt and BigUint multiplication may unexpectedly panic.

The internal mac3 function did not expect the possibility of non-empty all-zero inputs, leading to an unwrap() panic.
A buffer was allocated with less capacity than needed for an intermediate result, leading to an assertion panic.

Rust panics can either cause stack unwinding or program abort, depending on the application configuration. In some settings, an unexpected panic may constitute a denial-of-service vulnerability.

References

github.com/advisories/GHSA-v935-pqmr-g8v9
github.com/rust-num/num-bigint
github.com/rust-num/num-bigint/pull/228
github.com/rust-num/num-bigint/security/advisories/GHSA-v935-pqmr-g8v9

Detect and mitigate GHSA-v935-pqmr-g8v9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →