Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump ring to 0.17.3 to mitigate RUSTSEC-2025-0009 #7769

Merged
merged 1 commit into from
Mar 7, 2025
Merged

Bump ring to 0.17.3 to mitigate RUSTSEC-2025-0009 #7769

merged 1 commit into from
Mar 7, 2025

Conversation

MarkusPettersson98
Copy link
Contributor

@MarkusPettersson98 MarkusPettersson98 commented Mar 7, 2025
edited
Loading

This PR bumps ring to version 0.17.13, which includes a mitigation for RUSTSEC-2025-0009.

We are not affected by this, since we do not encrypt/decrypt 64 gigabyte payloads:

ring::aead::quic::HeaderProtectionKey::new_mask() may panic when overflow checking is enabled.
In the QUIC protocol, an attacker can induce this panic by sending a specially-crafted packet.
Even unintentionally it is likely to occur in 1 out of every 2**32 packets sent and/or received.

On 64-bit targets operations using ring::aead::{AES_128_GCM, AES_256_GCM} may panic when 
overflow checking is enabled, when encrypting/decrypting approximately 68,719,476,700 bytes 
(about 64 gigabytes) of data in a single chunk.

Protocols like TLS and SSH are not affected by this because those protocols break large amounts 
of data into small chunks.  Similarly, most applications will not attempt to encrypt/decrypt 64GB 
of data in one chunk.

This change is Reviewable

@MarkusPettersson98 MarkusPettersson98 requested a review from dlon March 7, 2025 08:57
dlon
dlon approved these changes Mar 7, 2025
View reviewed changes
Copy link
Member

@dlon dlon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewed 1 of 1 files at r1, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

@MarkusPettersson98 MarkusPettersson98 changed the title Bump ring to >=0.17.3 to mitigate RUSTSEC-2025-0009 Bump ring to 0.17.3 to mitigate RUSTSEC-2025-0009 Mar 7, 2025
@MarkusPettersson98 MarkusPettersson98 merged commit 2dc82d5 into main Mar 7, 2025
35 of 37 checks passed
@MarkusPettersson98 MarkusPettersson98 deleted the bump-ring branch March 7, 2025 09:04
@MarkusPettersson98 MarkusPettersson98 mentioned this pull request Mar 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlon dlon dlon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MarkusPettersson98 @dlon