From dcc1e85940492dd9b1342dc6f2f8f1de0277b66b Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Mon, 20 Feb 2023 13:43:56 +0200 Subject: [PATCH 1/4] Add unmaintained advisory for const-cstr --- crates/const-cstr/RUSTSEC-0000-0000.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 crates/const-cstr/RUSTSEC-0000-0000.md diff --git a/crates/const-cstr/RUSTSEC-0000-0000.md b/crates/const-cstr/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..9f7e72b10 --- /dev/null +++ b/crates/const-cstr/RUSTSEC-0000-0000.md @@ -0,0 +1,15 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "const-cstr" +date = "2023-02-14" +url = "https://github.com/abonander/const-cstr" +informational = "unmaintained" + +[versions] +patched = [] +``` + +# const-cstr is unmaintained + +Maintainer has archived the GitHub repository. No known alternatives exists. From ac277e860ff2e2826c8413133eeb9f52ebfa6e6b Mon Sep 17 00:00:00 2001 From: pinkforest <36498018+pinkforest@users.noreply.github.com> Date: Sun, 12 Mar 2023 21:09:23 +1100 Subject: [PATCH 2/4] Fill advisory --- crates/const-cstr/RUSTSEC-0000-0000.md | 31 +++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/crates/const-cstr/RUSTSEC-0000-0000.md b/crates/const-cstr/RUSTSEC-0000-0000.md index 9f7e72b10..dacc5c887 100644 --- a/crates/const-cstr/RUSTSEC-0000-0000.md +++ b/crates/const-cstr/RUSTSEC-0000-0000.md @@ -4,12 +4,37 @@ id = "RUSTSEC-0000-0000" package = "const-cstr" date = "2023-02-14" url = "https://github.com/abonander/const-cstr" -informational = "unmaintained" +informational = "unsound" [versions] patched = [] ``` -# const-cstr is unmaintained +# const-cstr is Unmaintained -Maintainer has archived the GitHub repository. No known alternatives exists. +Last release was about five years ago. + +The maintainer(s) have been unreachable to respond to any issues that may or may not include security issues. + +The repository is now archived and there is no security policy in place to contact the maintainer(s) otherwise. + +No direct fork exist. + +# const-cstr is Unsound + +The crate violates the safety contract of [ffi::CStr::from_bytes_with_nul_unchecked](https://doc.rust-lang.org/std/ffi/struct.CStr.html#method.from_bytes_with_nul_unchecked) used in `ConstCStr::as_cstr` + +No interior nul bytes checking is done either by the constructor or the canonical macro to create the `ConstCStr` + +# const-cstr Panic + +Additionally the crate may cause runtime panics if statically compiled and ran with any untrusted data that is not nul-terminated. + +This is however unlikely but the the crate should not be used for untrusted data in context where panic may create a DoS vector. + +## Possible Alternatives + +The below may or may not provide alternative(s) + +- [const_cstr::cstr!](https://docs.rs/const-str/latest/const_str/macro.cstr.html) +- [cstr::cstr!](https://docs.rs/cstr/latest/cstr) From 6dffaef29b1d41f392734868a75f90ffc76068f3 Mon Sep 17 00:00:00 2001 From: pinkforest <36498018+pinkforest@users.noreply.github.com> Date: Sun, 12 Mar 2023 21:10:37 +1100 Subject: [PATCH 3/4] Adjust date --- crates/const-cstr/RUSTSEC-0000-0000.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/const-cstr/RUSTSEC-0000-0000.md b/crates/const-cstr/RUSTSEC-0000-0000.md index dacc5c887..8e4bfe701 100644 --- a/crates/const-cstr/RUSTSEC-0000-0000.md +++ b/crates/const-cstr/RUSTSEC-0000-0000.md @@ -2,7 +2,7 @@ [advisory] id = "RUSTSEC-0000-0000" package = "const-cstr" -date = "2023-02-14" +date = "2023-03-12" url = "https://github.com/abonander/const-cstr" informational = "unsound" From 11af0e70973d022a60b0b49eacd01d5e5d995439 Mon Sep 17 00:00:00 2001 From: pinkforest <36498018+pinkforest@users.noreply.github.com> Date: Mon, 13 Mar 2023 05:32:35 +1100 Subject: [PATCH 4/4] Fix typo --- crates/const-cstr/RUSTSEC-0000-0000.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crates/const-cstr/RUSTSEC-0000-0000.md b/crates/const-cstr/RUSTSEC-0000-0000.md index 8e4bfe701..3420d4e6f 100644 --- a/crates/const-cstr/RUSTSEC-0000-0000.md +++ b/crates/const-cstr/RUSTSEC-0000-0000.md @@ -36,5 +36,5 @@ This is however unlikely but the the crate should not be used for untrusted data The below may or may not provide alternative(s) -- [const_cstr::cstr!](https://docs.rs/const-str/latest/const_str/macro.cstr.html) -- [cstr::cstr!](https://docs.rs/cstr/latest/cstr) +- [const_str::cstr!](https://docs.rs/const-str/latest/const_str/macro.cstr.html) +- [cstr::cstr!](https://crates.io/crates/cstr)