CVE-2023-22895
Description
The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in bzip2 crate for Rust before 0.4.4 allows attackers to cause denial of service via a large file.
The bzip2 crate for Rust before version 0.4.4 contains an integer overflow vulnerability in the mem.rs file. The issue arises in both Decompress and Compress implementations where input.len() and output.len() are cast directly to c_uint without bounds checking. When processing a file larger than 4GB, these values can exceed u32::MAX, causing an integer overflow that results in a very small value being passed to the underlying C library [1][3].
This vulnerability can be triggered by providing a specially crafted large file to an application using the vulnerable bzip2 crate. The attack requires no special privileges, as it can be exploited by simply decompressing or compressing a malicious file. The overflow leads to avail_in or avail_out being set to a small number, which causes the decompression loop to run indefinitely, resulting in a denial of service [1][2].
The impact is a denial of service (DoS) condition, where the application becomes unresponsive or hangs indefinitely due to the infinite loop. This can be used to exhaust system resources or disrupt service availability. The vulnerability is particularly concerning for applications that process untrusted compressed data, such as archive utilities or network services [3].
A fix was implemented in version 0.4.4 of the bzip2 crate. The patch adds min(c_uint::MAX as usize) checks before the cast, ensuring that values are clamped to the maximum representable c_uint value, preventing the overflow [1][4]. Users are advised to update to version 0.4.4 or later. No workarounds are available for vulnerable versions [3].
- Patched an infinite loop bug in src/mem.rs, impl Decompress::decompress() by bjrjk · Pull Request #86 · trifectatechfoundation/bzip2-rs
- NVD - CVE-2023-22895
- bzip2 Denial of Service (DoS) › RustSec Advisory Database
- Patched an infinite loop bug in src/mem.rs, impl Decompress::decompre… · trifectatechfoundation/bzip2-rs@90c9c18
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bzip2crates.io | < 0.4.4 | 0.4.4 |
Affected products
5- Rust/bzip2 cratedescription
- ghsa-coords4 versionspkg:cargo/bzip2pkg:rpm/opensuse/python-cramjam&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rage-encryption&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/wasm-pack&distro=openSUSE%20Tumbleweed
< 0.4.4+ 3 more
- (no CPE)range: < 0.4.4
- (no CPE)range: < 2.9.1-1.3
- (no CPE)range: < 0.9.0+0-4.1
- (no CPE)range: < 0.10.3~0-2.1
Patches
190c9c182cd5aPatched an infinite loop bug in src/mem.rs, impl Decompress::decompress() (#86)
1 file changed · +4 −4
src/mem.rs+4 −4 modified@@ -150,9 +150,9 @@ impl Compress { return Ok(Status::RunOk); } self.inner.raw.next_in = input.as_ptr() as *mut _; - self.inner.raw.avail_in = input.len() as c_uint; + self.inner.raw.avail_in = input.len().min(c_uint::MAX as usize) as c_uint; self.inner.raw.next_out = output.as_mut_ptr() as *mut _; - self.inner.raw.avail_out = output.len() as c_uint; + self.inner.raw.avail_out = output.len().min(c_uint::MAX as usize) as c_uint; unsafe { match ffi::BZ2_bzCompress(&mut *self.inner.raw, action as c_int) { ffi::BZ_RUN_OK => Ok(Status::RunOk), @@ -225,9 +225,9 @@ impl Decompress { /// Decompress a block of input into a block of output. pub fn decompress(&mut self, input: &[u8], output: &mut [u8]) -> Result<Status, Error> { self.inner.raw.next_in = input.as_ptr() as *mut _; - self.inner.raw.avail_in = input.len() as c_uint; + self.inner.raw.avail_in = input.len().min(c_uint::MAX as usize) as c_uint; self.inner.raw.next_out = output.as_mut_ptr() as *mut _; - self.inner.raw.avail_out = output.len() as c_uint; + self.inner.raw.avail_out = output.len().min(c_uint::MAX as usize) as c_uint; unsafe { match ffi::BZ2_bzDecompress(&mut *self.inner.raw) { ffi::BZ_OK => Ok(Status::Ok),
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/advisories/GHSA-96jv-r488-c2rjghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MI5SVRSGKBWB2JGDLDVIFY5ZQVDZP6I7/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQK57GGXJX3AH7KF6S7S3N7JC5QOYUQ7/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UUK2JO25PPA6XBREKJRBLRCD22LKIOLO/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2023-22895ghsaADVISORY
- crates.io/crates/bzip2/versionsghsaWEB
- github.com/alexcrichton/bzip2-rs/commit/90c9c182cd5a5ebc75810aebd89b347a7bdf590bghsaWEB
- github.com/alexcrichton/bzip2-rs/pull/86ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MI5SVRSGKBWB2JGDLDVIFY5ZQVDZP6I7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQK57GGXJX3AH7KF6S7S3N7JC5QOYUQ7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UUK2JO25PPA6XBREKJRBLRCD22LKIOLOghsaWEB
- rustsec.org/advisories/RUSTSEC-2023-0004.htmlghsaWEB
News mentions
0No linked articles in our index yet.