Packaged version of brotli is affected by CVE-2020-8927

[insanitybit]

Brotli versions prior 1.0.8 are affected by CVE-2020-8927.

https://www.cvedetails.com/cve/CVE-2020-8927/

This is an integer overflow and I believe it is reachable from the rust bindings, but that's just based on a quick perusal of the source code.

I'm currently working on a PR to add an advisory to the rustsec adivsorydb as well.

https://github.com/rustsec/advisory-db/pull/1124

[ruuda]

A simple solution is to not vendor Brotli, but to link against a system-provided libbrotli instead, which can be kept up to date independently, and requires no code changes in the Rust code to update. For an example, see https://github.com/ruuda/brotli2-rs/commit/ec1c87ed98b25c30b24c97ebf376d067233acfe4.

[DoumanAsh]

JFYI I keep maintained bindings to brotli https://crates.io/crates/compu-brotli-sys/1.1.0