GHSA-j3px-q95c-9683: 
Rust vulnerability analysis and mitigation

A denial of service vulnerability was discovered in zlib-rs (GHSA-j3px-q95c-9683), affecting versions 0.3.1 and below of the zlib-rs, libz-rs-sys, and libz-rs-sys-cdylib Rust packages. The vulnerability was discovered by security researcher @inahga through fuzzing and was published on November 14, 2024. The issue allows specially constructed input to trigger a stack overflow during decompression operations, resulting in process crashes (GitHub Advisory, RustSec).

The vulnerability stems from LLVM's handling of the zlib-rs codebase, where tail calls were not guaranteed. This implementation issue causes certain input patterns to generate a large number of stack frames, leading to stack overflow conditions. The vulnerability has been assigned a CVSS score of 5.3 (Moderate), with base metrics indicating Network attack vector, Low attack complexity, No privileges required, No user interaction needed, Unchanged scope, and Low availability impact (GitHub Advisory).

When exploited, this vulnerability results in denial of service through process crashes. While these conditions are unlikely to occur in normal operations, malicious actors can deliberately craft input files to trigger the stack overflow. The impact is primarily on availability, with no direct effects on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in version 0.4.0 of all affected packages. Users are strongly advised to upgrade to this version. For those unable to upgrade immediately, alternative workarounds include running zlib-rs in a separate process to isolate potential crashes or implementing a signal handler to catch stack overflow events (GitHub Advisory).