panic on parsing crafted phonenumber inputs
Critical severity
GitHub Reviewed
Published
Jul 9, 2024
in
whisperfish/rust-phonenumber
•
Updated Nov 18, 2024
Description
Published to the GitHub Advisory Database
Jul 9, 2024
Reviewed
Jul 9, 2024
Published by the National Vulnerability Database
Jul 9, 2024
Last updated
Nov 18, 2024
Impact
The phonenumber parsing code may panic due to a reachable
assert!
guard on the phonenumber string.In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form
+dwPAA;phone-context=AA
, where the "number" part potentially parses as a number larger than 2^56.Since f69abee1/0.3.4/#52.
0.2.x series is not affected.
Patches
Upgrade to 0.3.6 or higher.
Workarounds
n/a
References
Whereas whisperfish/rust-phonenumber#69 did not provide an example code path, property testing found a few:
+dwPAA;phone-context=AA
.References