From 5c4217537b46e31e2b9924e69658e5a00f5dcd8b Mon Sep 17 00:00:00 2001 From: Ossi Herrala Date: Sun, 12 Mar 2023 18:36:53 +0000 Subject: [PATCH] Add unsound `const-cstr` (#1613) * Add unmaintained advisory for const-cstr * Fill advisory * Adjust date * Fix typo --------- Co-authored-by: pinkforest <36498018+pinkforest@users.noreply.github.com> Co-authored-by: Nugine --- crates/const-cstr/RUSTSEC-0000-0000.md | 40 ++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 crates/const-cstr/RUSTSEC-0000-0000.md diff --git a/crates/const-cstr/RUSTSEC-0000-0000.md b/crates/const-cstr/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..3420d4e --- /dev/null +++ b/crates/const-cstr/RUSTSEC-0000-0000.md @@ -0,0 +1,40 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "const-cstr" +date = "2023-03-12" +url = "https://github.com/abonander/const-cstr" +informational = "unsound" + +[versions] +patched = [] +``` + +# const-cstr is Unmaintained + +Last release was about five years ago. + +The maintainer(s) have been unreachable to respond to any issues that may or may not include security issues. + +The repository is now archived and there is no security policy in place to contact the maintainer(s) otherwise. + +No direct fork exist. + +# const-cstr is Unsound + +The crate violates the safety contract of [ffi::CStr::from_bytes_with_nul_unchecked](https://doc.rust-lang.org/std/ffi/struct.CStr.html#method.from_bytes_with_nul_unchecked) used in `ConstCStr::as_cstr` + +No interior nul bytes checking is done either by the constructor or the canonical macro to create the `ConstCStr` + +# const-cstr Panic + +Additionally the crate may cause runtime panics if statically compiled and ran with any untrusted data that is not nul-terminated. + +This is however unlikely but the the crate should not be used for untrusted data in context where panic may create a DoS vector. + +## Possible Alternatives + +The below may or may not provide alternative(s) + +- [const_str::cstr!](https://docs.rs/const-str/latest/const_str/macro.cstr.html) +- [cstr::cstr!](https://crates.io/crates/cstr)