RUSTSEC-2023-0004: 
Rust vulnerability analysis and mitigation

The bzip2 crate versions prior to 0.4.4 contained a vulnerability identified as RUSTSEC-2023-0004 (CVE-2023-22895). This vulnerability allowed attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. The issue was discovered in December 2022 and was patched in January 2023 (GitHub PR).

The vulnerability stemmed from an integer overflow issue in the Decompress::decompress() implementation within mem.rs. When processing files larger than 4GB (0x100000000h), the length of the output buffer would be cast to cuint (uint32), causing high 32 bits to be lost. This resulted in availout being zero when invoking the C unzipping function, leading to no data extraction and an infinite loop (GitHub PR).

When exploited, this vulnerability could cause the application to enter an infinite loop during decompression of large files (>4GB), effectively creating a denial of service condition. This affected applications using the bzip2 crate for file compression and decompression operations (GitHub PR).

The issue was fixed in bzip2 crate version 0.4.4. The patch modified the availout assignment logic in the Decompress::decompress() implementation to handle cases where the output length exceeds the available range of cuint by setting it to the maximum value of c_uint (GitHub PR).