cargo vet: zlib-rs audit

divviup · Nov 14, 2024 · ac306da · ac306da
1 parent a8e48e7
commit ac306da
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml
@@ -398,6 +398,16 @@ who = "Brandon Pitman <[email protected]>"
 criteria = "safe-to-deploy"
 delta = "0.2.149 -> 0.2.150"
 
+[[audits.libz-rs-sys]]
+who = "Ameer Ghani <[email protected]>"
+criteria = "safe-to-deploy"
+version = "0.4.0"
+notes = """
+This crate uses unsafe since it's for C to Rust FFI. I have reviewed and fuzzed it, and I believe it is free of any serious security problems.
+
+The only dependency is zlib-rs, which is maintained by the same maintainers as this crate.
+"""
+
 [[audits.linux-raw-sys]]
 who = "Brandon Pitman <[email protected]>"
 criteria = "safe-to-run"
@@ -839,6 +849,16 @@ who = "Tim Geoghegan <[email protected]>"
 criteria = "safe-to-run"
 delta = "7.0.0 -> 7.0.1"
 
+[[audits.zlib-rs]]
+who = "Ameer Ghani <[email protected]>"
+criteria = "safe-to-deploy"
+version = "0.4.0"
+notes = """
+zlib-rs uses unsafe Rust for invoking compiler intrinsics (i.e. SIMD), eschewing bounds checks, along the FFI boundary, and for interacting with pointers sourced from C. I have extensively reviewed and fuzzed the unsafe code. All findings from that work have been resolved as of version 0.4.0. To the best of my ability, I believe it's free of any serious security problems.
+
+zlib-rs does not require any external dependencies.
+"""
+
 [[trusted.byteorder]]
 criteria = "safe-to-deploy"
 user-id = 189 # Andrew Gallant (BurntSushi)