rand_core known bugs

Summary: rand_core::le::read_u32_into and read_u64_into have incorrect checks on the source buffer length, allowing the destination buffer to be under-filled. Implications: some downstream RNGs, including Hc128Rng (but not the more widely used ChaCha*Rng), allow seeding using the SeedableRng::from_seed trait-function with too short keys.

Affected versions of this crate violated alignment when casting byte slices to integer slices, resulting in undefined behavior. The flaw was corrected by Ralf Jung and Diggory Hardy.

An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because `read_u32_into` and `read_u64_into` mishandle certain buffer-length checks, a random number generator may be seeded with too little data. The vulnerability was introduced in v0.6.0. The advisory doesn't apply to earlier minor version numbers. Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data.

### Impact Affected versions of this crate violated alignment when casting byte slices to integer slices, resulting in undefined behavior. `rand_core::BlockRng::next_u64` and `rand_core::BlockRng::fill_bytes` are affected. ### Patches The flaw was corrected by Ralf Jung and Diggory Hardy for `rand_core >= 0.4.2`. ### Workarounds None. ### References See [Rand's changelog](https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06). ### For more information If you have any questions or comments about this advisory, [open an issue in the Rand repository](https://github.com/rust-random/rand/issues/new/choose).