Add unsound const-cstr (#1613)

* Add unmaintained advisory for const-cstr * Fill advisory * Adjust date * Fix typo --------- Co-authored-by: pinkforest <[email protected]> Co-authored-by: Nugine <[email protected]>
rustsec · Mar 12, 2023 · 5c42175 · 5c42175
1 parent fa80f68
commit 5c42175
Showing 1 changed file with 40 additions and 0 deletions.
diff --git a/crates/const-cstr/RUSTSEC-0000-0000.md b/crates/const-cstr/RUSTSEC-0000-0000.md
@@ -0,0 +1,40 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "const-cstr"
+date = "2023-03-12"
+url = "https://github.com/abonander/const-cstr"
+informational = "unsound"
+
+[versions]
+patched = []
+```
+
+# const-cstr is Unmaintained
+
+Last release was about five years ago.
+
+The maintainer(s) have been unreachable to respond to any issues that may or may not include security issues.
+
+The repository is now archived and there is no security policy in place to contact the maintainer(s) otherwise.
+
+No direct fork exist.
+
+# const-cstr is Unsound
+
+The crate violates the safety contract of [ffi::CStr::from_bytes_with_nul_unchecked](https://doc.rust-lang.org/std/ffi/struct.CStr.html#method.from_bytes_with_nul_unchecked) used in `ConstCStr::as_cstr`
+
+No interior nul bytes checking is done either by the constructor or the canonical macro to create the `ConstCStr`
+
+# const-cstr Panic
+
+Additionally the crate may cause runtime panics if statically compiled and ran with any untrusted data that is not nul-terminated.
+
+This is however unlikely but the the crate should not be used for untrusted data in context where panic may create a DoS vector.
+
+## Possible Alternatives
+
+The below may or may not provide alternative(s)
+
+- [const_str::cstr!](https://docs.rs/const-str/latest/const_str/macro.cstr.html)
+- [cstr::cstr!](https://crates.io/crates/cstr)