GHSA-v935-pqmr-g8v9: 
Rust vulnerability analysis and mitigation

A moderate severity vulnerability was discovered in the num-bigint Rust package affecting versions 0.4.1 through 0.4.2. The vulnerability, identified as GHSA-v935-pqmr-g8v9, was published on November 3, 2021, and involves unexpected panics in BigInt and BigUint multiplication operations. The issue was privately reported by security researchers Guido Vranken and Arvid Norberg (GitHub Advisory).

The vulnerability manifests in two distinct scenarios within the multiplication operations: First, the internal mac3 function failed to handle non-empty all-zero inputs properly, resulting in an unwrap() panic. Second, a buffer allocation issue occurred where insufficient capacity was allocated for intermediate results, leading to an assertion panic. The vulnerability is classified under CWE-20 (Improper Input Validation) and CWE-131 (Incorrect Calculation of Buffer Size) (GitHub Advisory).

The impact of this vulnerability varies depending on the application configuration. Rust panics can result in either stack unwinding or program abort. In certain environments, these unexpected panics could potentially be exploited as a denial-of-service vulnerability, affecting the availability of systems using the affected versions of num-bigint (GitHub Advisory).

The vulnerability has been patched in version 0.4.3 of num-bigint. Users are advised to upgrade to this version to resolve both panic scenarios. The fixes address the mac3 function's handling of all-zero inputs and correct the buffer allocation calculations (GitHub PR).