rustsec-2023-0020
Vulnerability from osv_rustsec
Last release was about five years ago.
The maintainer(s) have been unreachable to respond to any issues that may or may not include security issues.
The repository is now archived and there is no security policy in place to contact the maintainer(s) otherwise.
No direct fork exist.
const-cstr is Unsound
The crate violates the safety contract of ffi::CStr::from_bytes_with_nul_unchecked used in ConstCStr::as_cstr
No interior nul bytes checking is done either by the constructor or the canonical macro to create the ConstCStr
const-cstr Panic
Additionally the crate may cause runtime panics if statically compiled and ran with any untrusted data that is not nul-terminated.
This is however unlikely but the the crate should not be used for untrusted data in context where panic may create a DoS vector.
Possible Alternatives
The below may or may not provide alternative(s)
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": null,
"informational": "unsound"
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "const-cstr",
"purl": "pkg:cargo/const-cstr"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [],
"database_specific": {
"license": "CC0-1.0"
},
"details": "Last release was about five years ago.\n\nThe maintainer(s) have been unreachable to respond to any issues that may or may not include security issues.\n\nThe repository is now archived and there is no security policy in place to contact the maintainer(s) otherwise.\n\nNo direct fork exist.\n\n# const-cstr is Unsound\n\nThe crate violates the safety contract of [ffi::CStr::from_bytes_with_nul_unchecked](https://doc.rust-lang.org/std/ffi/struct.CStr.html#method.from_bytes_with_nul_unchecked) used in `ConstCStr::as_cstr`\n\nNo interior nul bytes checking is done either by the constructor or the canonical macro to create the `ConstCStr`\n\n# const-cstr Panic\n\nAdditionally the crate may cause runtime panics if statically compiled and ran with any untrusted data that is not nul-terminated.\n\nThis is however unlikely but the the crate should not be used for untrusted data in context where panic may create a DoS vector.\n\n## Possible Alternatives\n\nThe below may or may not provide alternative(s)\n\n- [const_str::cstr!](https://docs.rs/const-str/latest/const_str/macro.cstr.html)\n- [cstr::cstr!](https://crates.io/crates/cstr)",
"id": "RUSTSEC-2023-0020",
"modified": "2023-03-12T18:38:56Z",
"published": "2023-03-12T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/const-cstr"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2023-0020.html"
},
{
"type": "WEB",
"url": "https://github.com/abonander/const-cstr"
}
],
"related": [],
"severity": [],
"summary": "const-cstr is Unmaintained"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.