Bug 2318560

Summary: RUSTSEC-2023-0020: const-cstr is unmaintained
Product: [Fedora] Fedora Reporter: Fabio Valentini <decathorpe>
Component: rust-dlopen2Assignee: Rust SIG <rust-sig>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: jonathansteffan, rust-sig
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2177737    

Description Fabio Valentini 2024-10-14 15:48:51 UTC 
c.f. https://rustsec.org/advisories/RUSTSEC-2023-0020.html

The last release of the "const-cstr" crate was on 2018-02-10. This is also the last day on which code changes happened in the project's git repo on GitHub. The project is now a read-only archive.

The code has some issues that violate Rust soundness rules and can lead to panics when parsing untrusted data.

The const_str and cstr crates are listed as possible alternatives.

Reproducible: Always
Comment 1 Fabio Valentini 2024-10-14 15:50:00 UTC 
Note that recent Rust versions now also support this directly with the `c"C-String literal"` syntax, so there's no need to use third-party crates at all in most cases.
Comment 2 Jonathan Steffan 2024-10-19 03:03:19 UTC 
https://github.com/OpenByteDev/dlopen2/issues/17