RUSTSEC-2023-0020

Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0020.json
Published
2023-03-12T12:00:00Z
Modified
2023-03-12T18:38:56Z
Details

Last release was about five years ago.

The maintainer(s) have been unreachable to respond to any issues that may or may not include security issues.

The repository is now archived and there is no security policy in place to contact the maintainer(s) otherwise.

No direct fork exist.

const-cstr is Unsound

The crate violates the safety contract of ffi::CStr::frombyteswithnulunchecked used in ConstCStr::as_cstr

No interior nul bytes checking is done either by the constructor or the canonical macro to create the ConstCStr

const-cstr Panic

Additionally the crate may cause runtime panics if statically compiled and ran with any untrusted data that is not nul-terminated.

This is however unlikely but the the crate should not be used for untrusted data in context where panic may create a DoS vector.

Possible Alternatives

The below may or may not provide alternative(s)

References

Affected packages

crates.io / const-cstr

const-cstr

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0

Affected versions

Ecosystem specific 

{
    "affects": {
        "arch": [],
        "os": [],
        "functions": []
    }
}

Database specific 

{
    "categories": [],
    "cvss": null,
    "informational": "unsound"
}