RUSTSEC-2023-0084
(unmaintained)
on 2023-09-15:
hpack is unmaintained
RUSTSEC-2023-0085
on 2023-09-15: HPACK decoder panics on invalid input
Due to insufficient checking of input data, decoding certain data sequences can lead to Decoder::decode panicking rather than returning an error.
Example code that triggers this vulnerability looks like this:
use hpack::Decoder;
pub fn main() {
let input = &[0x3f];
let mut decoder = Decoder::new();
let _ = decoder.decode(input);
}
hpack is unmaintained. A crate with the panics fixed has been published as hpack-patched.
Also consider using fluke-hpack or httlib-huffman as an alternative.
https://github.com/sno2/hpack-rs-patched/commit/d669282924a95311599e9e7dd53869ee96b3a2f5
This crate has no reviews yet. To add a review, set up your cargo-crev.
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.
To review the actual code of the crate, it's best to use cargo crev open hpack. Alternatively, you can download the tarball of hpack v0.3.0 or view the source online.
The
hpackcrate is no longer maintained.Consider using fluke-hpack or httlib-huffman.