Impact
The phonenumber parsing code may panic due to a reachable assert! guard on the phonenumber string.
In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form +dwPAA;phone-context=AA, where the "number" part potentially parses as a number larger than 2^56.
Since f69abee/0.3.4/#52.
0.2.x series is not affected.
Patches
Upgrade to 0.3.6 or higher.
Workarounds
n/a
References
Whereas #69 did not provide an example code path, property testing found a few: +dwPAA;phone-context=AA.
Impact
The phonenumber parsing code may panic due to a reachable
assert!guard on the phonenumber string.In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form
+dwPAA;phone-context=AA, where the "number" part potentially parses as a number larger than 2^56.Since f69abee/0.3.4/#52.
0.2.x series is not affected.
Patches
Upgrade to 0.3.6 or higher.
Workarounds
n/a
References
Whereas #69 did not provide an example code path, property testing found a few:
+dwPAA;phone-context=AA.