CVE-2018-20989: Integer underflow in untrusted

August 25, 2021 (updated June 13, 2023)

A mistake in error handling in untrusted before 0.6.2 could lead to an integer underflow and panic if a user of the crate didn’t properly check for errors returned by untrusted. Combination of these two programming errors (one in untrusted and another by user of this crate) could lead to a panic and maybe a denial of service of affected software. The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It’s also advisable that users of untrusted check for their sources for cases where errors returned by untrusted are not handled correctly.

References

github.com/advisories/GHSA-wq8f-46ww-6c2h
github.com/briansmith/untrusted
github.com/briansmith/untrusted/pull/20
nvd.nist.gov/vuln/detail/CVE-2018-20989
rustsec.org/advisories/RUSTSEC-2018-0001.html

Detect and mitigate CVE-2018-20989 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →