Create advisory for DoS in Rosenpass <=0.2.0 (#1823)

pcwizz · web-flow · commit 20107217b779 · 2023-12-21T11:44:13.000-07:00
diff --git a/crates/rosenpass/RUSTSEC-0000-0000.md b/crates/rosenpass/RUSTSEC-0000-0000.md
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "rosenpass"
+date = "2023-11-04"
+references = ["https://github.com/rosenpass/rosenpass/commit/93439858d1c44294a7b377f775c4fc897a370bb2"]
+categories = ["denial-of-service"]
+keywords = ["remote", "single-byte"]
+license = "CC0-1.0"
+
+[versions]
+patched = [">= 0.2.1"]
+```
+
+# Remotely exploitable DoS condition in Rosenpass <=0.2.0
+
+Affected version do this crate did not validate the size of buffers when attempting to decode messages.
+
+This allows an attacker to trigger a panic by sending a UDP datagram with a 1 byte payload over network.
+
+This flaw was corrected by validating the size of the buffers before attempting to decode the message.
