Create advisory for DoS in Rosenpass <=0.2.0

pcwizz · pcwizz · commit f53e4ba3e7bc · 2023-11-19T16:13:41.000+01:00
diff --git a/crates/rosenpass/RUSTSEC-0000-0000.md b/crates/rosenpass/RUSTSEC-0000-0000.md
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+
+package = "rosenpass"
+
+date = "2023-11-04"
+
+references = ["https://github.com/rosenpass/rosenpass/commit/93439858d1c44294a7b377f775c4fc897a370bb2"]
+
+categories = ["denial-of-service"]
+
+keywords = ["remote", "single-byte"]
+
+license = "CC0-1.0"
+
+[versions]
+patched = [">= 0.2.1"]
+```
+
+# Remotely exploitable DoS condition in Rosenpass <=0.2.0
+
+Affected version do this crate did not validate the size of buffers when attempting to decode messages.
+
+This allows an attacker to trigger a panic by sending a UDP datagram with a 1 byte payload over network.
+
+This flaw was corrected by validating the size of the buffers before attempting to decode the message.
