RUSTSEC-2023-0076

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2023-0076
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0076.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2023-0076
Published
2023-11-14T12:00:00Z
Modified
2023-12-20T22:34:55Z
Summary
`cpython` is unmaintained
Details

The cpython crate and the underlying python3-sys and python27-sys crates have been marked as [no longer actively maintained] by the developer.

There are also open issues for unsound code that is currently in these crates:

  • [cpython#265]: Using some string functions causes segmentation faults on big-endian architectures. Due to incorrect bitfield manipulations, it is possible to create invalid Python objects that crash the Python interpreter.
  • [cpython#294]: Python 3.12 is not supported. Due to ABI changes in Python 3.12, calling some string functions will result in invalid Python objects and / or cause out-of-bounds memory accesses.

Recommended alternatives

  • [pyo3] (version 0.19.2 and newer)

The pyo3 crate is actively maintained. Preliminary support for Python 3.12 was added in version 0.19.2, and version 0.20.0 was released with full support for Python 3.12.

Both versions implement string functions correctly on big-endian architectures. The endianness issue affecting the cpython crate was fixed in recent versions of pyo3.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / cpython

Package

Name
cpython
View open source insights on deps.dev
Purl
pkg:cargo/cpython

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0

Ecosystem specific 

{
    "affects": {
        "functions": [],
        "os": [],
        "arch": []
    },
    "affected_functions": null
}

Database specific

informational 
"unmaintained"
categories 
[]
cvss 
null
source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0076.json"