RUSTSEC-2023-0076

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2023-0076

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0076.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2023-0076

Published

2023-11-14T12:00:00Z

Modified

2023-12-20T22:34:55Z

Summary

`cpython` is unmaintained

Details

The cpython crate and the underlying python3-sys and python27-sys crates have been marked as [no longer actively maintained] by the developer.

There are also open issues for unsound code that is currently in these crates:

[cpython#265]: Using some string functions causes segmentation faults on big-endian architectures. Due to incorrect bitfield manipulations, it is possible to create invalid Python objects that crash the Python interpreter.
[cpython#294]: Python 3.12 is not supported. Due to ABI changes in Python 3.12, calling some string functions will result in invalid Python objects and / or cause out-of-bounds memory accesses.

Recommended alternatives

[pyo3] (version 0.19.2 and newer)

The pyo3 crate is actively maintained. Preliminary support for Python 3.12 was added in version 0.19.2, and version 0.20.0 was released with full support for Python 3.12.

Both versions implement string functions correctly on big-endian architectures. The endianness issue affecting the cpython crate was fixed in recent versions of pyo3.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / cpython

Package

Name: cpython; View open source insights on deps.dev
Purl: pkg:cargo/cpython

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": "unmaintained",
    "categories": []
}