GHSA-29mf-62xx-28jq: 
Rust vulnerability analysis and mitigation

The buffered-reader crate contains a vulnerability (GHSA-29mf-62xx-28jq) where attacker-controlled input can trigger an out-of-bounds array access, leading to application panic. The vulnerability affects versions < 1.0.2, >= 1.1.0, < 1.1.5 of the buffered-reader crate, and was discovered and patched in May 2023. The issue was found independently by Justus Winter and kpcyrd, with the fix being implemented by Justus Winter (GitHub Advisory).

The vulnerability stems from a bug in the buffered-reader crate where malicious input can cause the parser to access an array using an out-of-range array index. When this occurs, Rust's built-in safety mechanisms detect the invalid access and trigger a panic in the application. The issue specifically relates to returning partial reads that end in errors (Sequoia Announce).

The primary impact of this vulnerability is the potential for denial-of-service attacks. When exploited, the vulnerability causes the application to panic and crash. Importantly, due to Rust's memory safety guarantees, the vulnerability cannot be exploited to read from or write to the application's address space, limiting its severity to a denial-of-service condition (RustSec Advisory).

The vulnerability has been patched in versions 1.0.2, 1.1.5, and 1.2.0 of the buffered-reader crate. Users are recommended to upgrade to these patched versions. The fixes have been backported to various versions to accommodate different distribution requirements, including Debian stable and testing versions (Sequoia Announce).