Skip to content

panic on parsing crafted phonenumber inputs

High severity GitHub Reviewed Published Jul 9, 2024 in whisperfish/rust-phonenumber • Updated Sep 5, 2024

Package

cargo phonenumber (Rust)

Affected versions

>= 0.3.4, < 0.3.6

Patched versions

0.3.6

Description

Impact

The phonenumber parsing code may panic due to a reachable assert! guard on the phonenumber string.

In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form +dwPAA;phone-context=AA, where the "number" part potentially parses as a number larger than 2^56.

Since f69abee1/0.3.4/#52.

0.2.x series is not affected.

Patches

Upgrade to 0.3.6 or higher.

Workarounds

n/a

References

Whereas whisperfish/rust-phonenumber#69 did not provide an example code path, property testing found a few: +dwPAA;phone-context=AA.

References

@rubdos rubdos published to whisperfish/rust-phonenumber Jul 9, 2024
Published to the GitHub Advisory Database Jul 9, 2024
Reviewed Jul 9, 2024
Published by the National Vulnerability Database Jul 9, 2024
Last updated Sep 5, 2024

Severity

High

EPSS score

0.045%
(17th percentile)

CVE ID

CVE-2024-39697

GHSA ID

GHSA-mjw4-jj88-v687

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.