CVE-2020-35858: Out of bounds write in prost

August 25, 2021 (updated June 13, 2023)

Affected versions of this crate contained a bug in which decoding untrusted input could overflow the stack. On architectures with stack probes (like x86), this can be used for denial of service attacks, while on architectures without stack probes (like ARM) overflowing the stack is unsound and can result in potential memory corruption (or even RCE).

References

github.com/advisories/GHSA-gv73-9mwv-fwgq
github.com/danburkert/prost
github.com/danburkert/prost/commit/04091d3e745c27590a5f1b7f581793e4159486b5
github.com/danburkert/prost/issues/267
nvd.nist.gov/vuln/detail/CVE-2020-35858
rustsec.org/advisories/RUSTSEC-2020-0002.html

Detect and mitigate CVE-2020-35858 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →