2318560 – RUSTSEC-2023-0020: const-cstr is unmaintained

Bug 2318560 - RUSTSEC-2023-0020: const-cstr is unmaintained

Summary: RUSTSEC-2023-0020: const-cstr is unmaintained

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rust-dlopen2
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Rust SIG
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2177737
TreeView+	depends on / blocked

Reported:	2024-10-14 15:48 UTC by Fabio Valentini
Modified:	2024-10-19 03:03 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Fabio Valentini 2024-10-14 15:48:51 UTC

c.f. https://rustsec.org/advisories/RUSTSEC-2023-0020.html

The last release of the "const-cstr" crate was on 2018-02-10. This is also the last day on which code changes happened in the project's git repo on GitHub. The project is now a read-only archive.

The code has some issues that violate Rust soundness rules and can lead to panics when parsing untrusted data.

The const_str and cstr crates are listed as possible alternatives.

Reproducible: Always

Comment 1 Fabio Valentini 2024-10-14 15:50:00 UTC

Note that recent Rust versions now also support this directly with the `c"C-String literal"` syntax, so there's no need to use third-party crates at all in most cases.

Comment 2 Jonathan Steffan 2024-10-19 03:03:19 UTC

https://github.com/OpenByteDev/dlopen2/issues/17

Note You need to log in before you can comment on or make changes to this bug.