parse_duration: `parse` DoS through payloads with big exponent by disconnect3d ·...

Copy link

Contributor

tarcieri commented on Mar 18, 2021

It looks like the directory the advisory is inside of doesn't match the package name, i.e.:

crates/parse_duration should be crates/parse-duration

disconnect3d commented on Mar 18, 2021

It looks like the directory the advisory is inside of doesn't match the package name, i.e.:

crates/parse_duration should be crates/parse-duration

Fixed!

tarcieri commented on Mar 18, 2021

Oh whoops, my bad, it looks like the name on crates.io has an underscore: https://crates.io/crates/parse_duration

So: crates/parse-duration should be crates/parse_duration

Sorry about that

disconnect3d commented on Mar 18, 2021

Haha; fixed! :)

disconnect3d commented on Mar 18, 2021

Oh whoops, my bad, it looks like the name on crates.io has an underscore: https://crates.io/crates/parse_duration

So: crates/parse-duration should be crates/parse_duration

Sorry about that

Hmm the linter says it should be parse-duration

tarcieri commented on Mar 18, 2021

Advisory looks well-formatted now.

I suppose the question remains of whether this fits our DoS policy or not.

If I understand correctly this is an algorithmic DoS as opposed to a simple panic, in a crate which appears designed to act on untrusted data, so I'd vote yes.

@alex @Shnatsel any thoughts?

Shnatsel commented on Mar 19, 2021

If the crate developers want to report this, I don't see why not include this advisory.

disconnect3d commented on Mar 19, 2021

If the crate developers want to report this, I don't see why not include this advisory.

Just to be clear: I am not the parse_duration crate developer. I found this issue independently while someone else also reported it a year ago. There was no response from the maintainer or fix since then. Anyway, I think making people aware of this issue by adding it to RustSec (and so e.g. cargo audit) may benefit projects who use or would use this crate.