Bug 2177737

Summary: RUSTSEC-2023-0020: const-cstr is unmaintained
Product: [Fedora] Fedora Reporter: Fabio Valentini <decathorpe>
Component: rust-const-cstrAssignee: Rust SIG <rust-sig>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 39CC: decathorpe, rust-sig
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2214209, 2214208    
Bug Blocks:    

Description Fabio Valentini 2023-03-13 14:30:44 UTC 
c.f. https://rustsec.org/advisories/RUSTSEC-2023-0020.html

The last release of the "const-cstr" crate was on 2018-02-10. This is also the last day on which code changes happened in the project's git repo on GitHub. The project is now a read-only archive.

The code has some issues that violate Rust soundness rules and can lead to panics when parsing untrusted data.

The const_str and cstr crates are listed as possible alternatives.

The following Rust packages in Fedora depend on the "const-cstr" crate:

- libblkio
- yeslogic-fontconfig-sys

I plan to mark the "rust-const-cstr-devel" package with "Provides: deprecated()" to ensure no new packages in Fedora depending on it, and will file additional bugs for all dependent packages.
Comment 1 Fedora Release Engineering 2023-08-16 07:11:35 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.