RUSTSEC-2023-0020

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2023-0020
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0020.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2023-0020
Published
2023-03-12T12:00:00Z
Modified
2023-03-12T18:38:56Z
Summary
const-cstr is Unmaintained
Details

Last release was about five years ago.

The maintainer(s) have been unreachable to respond to any issues that may or may not include security issues.

The repository is now archived and there is no security policy in place to contact the maintainer(s) otherwise.

No direct fork exist.

const-cstr is Unsound

The crate violates the safety contract of ffi::CStr::frombyteswithnulunchecked used in ConstCStr::as_cstr

No interior nul bytes checking is done either by the constructor or the canonical macro to create the ConstCStr

const-cstr Panic

Additionally the crate may cause runtime panics if statically compiled and ran with any untrusted data that is not nul-terminated.

This is however unlikely but the the crate should not be used for untrusted data in context where panic may create a DoS vector.

Possible Alternatives

The below may or may not provide alternative(s)

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / const-cstr

Package

Name
const-cstr
View open source insights on deps.dev
Purl
pkg:cargo/const-cstr

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0

Ecosystem specific 

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific 

{
    "cvss": null,
    "informational": "unsound",
    "categories": []
}