GHSA-pmcv-mgcf-rvxg: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-pmcv-mgcf-rvxg) affects the crypto2 Rust package and involves a non-aligned u32 read in Chacha20 encryption and decryption operations. The issue was discovered on October 8, 2021, and was published to the GitHub Advisory Database on June 16, 2022. The vulnerability affects crypto2 versions 0.1.2 and below, with no patched versions available (GitHub Advisory, RustSec Advisory).

The vulnerability stems from the implementation not enforcing alignment requirements on input slices while incorrectly assuming 4-byte alignment through an unsafe call to std::slice::fromrawpartsmut. This breaks the contract and introduces undefined behavior in the Chacha20 encryption and decryption operations. The issue specifically affects the following functions: crypto2::streamcipher::Chacha20::decryptslice, crypto2::streamcipher::Chacha20::encryptslice, and crypto2::streamcipher::xorsi512inplace. In debug builds of libstd, this results in a panic during the call to fromrawpartsmut (GitHub Issue, RustSec Advisory).

The vulnerability introduces undefined behavior in the Chacha20 encryption and decryption operations of the crypto2 library. This could potentially compromise the security and reliability of applications using these cryptographic functions (GitHub Advisory).

Currently, there are no patched versions available for this vulnerability. Users of the crypto2 library should consider using alternative cryptographic implementations that properly handle alignment requirements (GitHub Advisory).