RUSTSEC-2021-0073: 
Rust vulnerability analysis and mitigation

An issue was discovered in the prost-types crate before version 0.8.0 for Rust, identified as RUSTSEC-2021-0073 (CVE-2021-38192). The vulnerability involves a potential overflow condition that can occur during the conversion process from Timestamp to SystemTime. The issue was disclosed on August 8, 2021 (NVD).

The vulnerability stems from the use of + and - operators on UNIXEPOCH during timestamp conversion operations. When converting from prosttypes::Timestamp to SystemTime, the operation can result in an overflow and subsequent panic, particularly when handling untrusted input. The issue is further complicated by the Timestamp::normalize function, which may either panic or wrap around depending on compiler settings (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is a potential denial-of-service condition. When processing untrusted Timestamp inputs, the application may panic due to overflow conditions, leading to service disruption. This is particularly concerning in systems that process external timestamp data or handle untrusted protocol buffer messages (GitHub Issue).

The vulnerability was fixed in prost-types version 0.8.0. For affected versions, it is recommended to implement proper input validation before timestamp conversion and consider using SystemTime::checked{add,sub} methods instead of direct arithmetic operations. Additionally, the Timestamp::normalize function should be modified to use saturating{add,sub} operations to prevent panics (GitHub Issue).