PT-2020-17558 · Rust · Nanorand

Aspenluxxxy

Published

2020-12-09

Updated

2021-08-25

CVE-2020-35926

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions nanorand versions prior to 0.5.1

Description An issue in the nanorand crate caused random number generators, including the cryptographically secure ChaCha, to return all zeroes due to mishandled integer truncation. This occurred because the implementation used bit-shifting to truncate a 64-bit number instead of an as conversion, leading to improper number generation.

Recommendations For versions prior to 0.5.1, update to version 0.5.1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of random number generators that rely on the affected RandomGen implementations until a patch is available.

Fix

Use of Insufficiently Random Values

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-681CWE-330CWE-338

Related Identifiers

CVE-2020-35926

GHSA-M9M5-CG5H-R582

RUSTSEC-2020-0089

Affected Products

Nanorand

PT-2020-17558 · Rust · Nanorand

CVE-2020-35926

Weakness Enumeration

Related Identifiers

Affected Products

References · 9