RUSTSEC-2023-0020 – const-cstr

Package

Manager: cargo
Name: const-cstr
Vulnerable Version: >=0.0.0-0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

const-cstr is Unmaintained Last release was about five years ago. The maintainer(s) have been unreachable to respond to any issues that may or may not include security issues. The repository is now archived and there is no security policy in place to contact the maintainer(s) otherwise. No direct fork exist. # const-cstr is Unsound The crate violates the safety contract of [ffi::CStr::from_bytes_with_nul_unchecked](https://doc.rust-lang.org/std/ffi/struct.CStr.html#method.from_bytes_with_nul_unchecked) used in `ConstCStr::as_cstr` No interior nul bytes checking is done either by the constructor or the canonical macro to create the `ConstCStr` # const-cstr Panic Additionally the crate may cause runtime panics if statically compiled and ran with any untrusted data that is not nul-terminated. This is however unlikely but the the crate should not be used for untrusted data in context where panic may create a DoS vector. ## Possible Alternatives The below may or may not provide alternative(s) - [const_str::cstr!](https://docs.rs/const-str/latest/const_str/macro.cstr.html) - [cstr::cstr!](https://crates.io/crates/cstr)

Metadata

Created: 2023-03-12T12:00:00Z
Modified: 2023-03-12T18:38:56Z
Source: https://osv-vulnerabilities
CWE IDs: N/A
Alternative ID: N/A
Finding: F138
Auto approve: 1