2214209 – RUSTSEC-2023-0020: const-cstr is unmaintained

Bug 2214209 - RUSTSEC-2023-0020: const-cstr is unmaintained

Summary: RUSTSEC-2023-0020: const-cstr is unmaintained

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rust-yeslogic-fontconfig-sys4
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Rust SIG
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2177737
TreeView+	depends on / blocked

Reported:	2023-06-12 09:52 UTC by Fabio Valentini
Modified:	2024-10-07 16:02 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Fabio Valentini 2023-06-12 09:52:24 UTC

c.f. https://rustsec.org/advisories/RUSTSEC-2023-0020.html

The last release of the "const-cstr" crate was on 2018-02-10. This is also the last day on which code changes happened in the project's git repo on GitHub. The project is now a read-only archive.

The code has some issues that violate Rust soundness rules and can lead to panics when parsing untrusted data.

The const_str and cstr crates are listed as possible alternatives.

Reproducible: Always

Comment 1 Fedora Release Engineering 2023-08-16 08:10:36 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.

Comment 2 Fabio Valentini 2024-10-07 16:02:48 UTC

Fixed in version 6, still applies to the v4 compat package.

Note You need to log in before you can comment on or make changes to this bug.