2177737 – RUSTSEC-2023-0020: const-cstr is unmaintained

Bug 2177737 - RUSTSEC-2023-0020: const-cstr is unmaintained

Summary: RUSTSEC-2023-0020: const-cstr is unmaintained

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rust-const-cstr
Sub Component:
Version:	39
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Rust SIG
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2214209 2214208
Blocks:
TreeView+	depends on / blocked

Reported:	2023-03-13 14:30 UTC by Fabio Valentini
Modified:	2023-08-16 07:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Fabio Valentini 2023-03-13 14:30:44 UTC

c.f. https://rustsec.org/advisories/RUSTSEC-2023-0020.html

The last release of the "const-cstr" crate was on 2018-02-10. This is also the last day on which code changes happened in the project's git repo on GitHub. The project is now a read-only archive.

The code has some issues that violate Rust soundness rules and can lead to panics when parsing untrusted data.

The const_str and cstr crates are listed as possible alternatives.

The following Rust packages in Fedora depend on the "const-cstr" crate:

- libblkio
- yeslogic-fontconfig-sys

I plan to mark the "rust-const-cstr-devel" package with "Provides: deprecated()" to ensure no new packages in Fedora depending on it, and will file additional bugs for all dependent packages.

Comment 1 Fedora Release Engineering 2023-08-16 07:11:35 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.

Note You need to log in before you can comment on or make changes to this bug.