CVE-2020-35926

MEDIUM5.1EPSS 0.43%

nanorand 0.5.0 - RNGs failed to generate properly for non-64-bit numbers

Published: 8/25/2021Modified: 11/8/2023

Also known as:GHSA-m9m5-cg5h-r582RUSTSEC-2020-0089

Description

In versions of `nanorand` prior to 0.5.1, `RandomGen` implementations for standard unsigned integers could fail to properly generate numbers, due to using bit-shifting to truncate a 64-bit number, rather than just an `as` conversion. This often manifested as RNGs returning nothing but 0, including the cryptographically secure `ChaCha` random number generator..

Affected packages (2)

crates.io/nanorandfrom 0, < 0.5.1
crates.io/nanorand>= 0.0.0-0, < 0.5.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.1	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-35926
PATCHhttps://crates.io/crates/nanorand
PATCHhttps://github.com/Absolucy/nanorand-rs
WEBhttps://github.com/Absolucy/nanorand-rs/commit/5ba218ac29df4786b002d7d12b47fa0c04a331f2
WEBhttps://rustsec.org/advisories/RUSTSEC-2020-0089.html
WEBhttps://twitter.com/aspenluxxxy/status/1336684692284772352