2214209 – RUSTSEC-2023-0020: const-cstr is unmaintained

Bug 2214209 - RUSTSEC-2023-0020: const-cstr is unmaintained

Summary: RUSTSEC-2023-0020: const-cstr is unmaintained

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rust-yeslogic-fontconfig-sys
Sub Component:
Version:	39
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Rust SIG
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2177737
TreeView+	depends on / blocked

Reported:	2023-06-12 09:52 UTC by Fabio Valentini
Modified:	2023-08-16 08:10 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Fabio Valentini 2023-06-12 09:52:24 UTC

c.f. https://rustsec.org/advisories/RUSTSEC-2023-0020.html

The last release of the "const-cstr" crate was on 2018-02-10. This is also the last day on which code changes happened in the project's git repo on GitHub. The project is now a read-only archive.

The code has some issues that violate Rust soundness rules and can lead to panics when parsing untrusted data.

The const_str and cstr crates are listed as possible alternatives.

Reproducible: Always

Comment 1 Fedora Release Engineering 2023-08-16 08:10:36 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.

Note You need to log in before you can comment on or make changes to this bug.