Critical 9.8/10 vulnerability for this library #209
Comments
|
Thanks for sharing. I'd love a PR to fix each of these. For the latter one, the fn has been deprecated. For the former, there's been a comment there for a while, since the code was suspected to be incorrect. I haven't used Rust much in years, so I'm hoping someone else can pick this up. Perhaps @Ella-0? |
|
I'd love to help, but the repo I linked to in my OP represents the current extent of my own Rust knowledge. I did that pancurses/ncurses-rs project a few years ago as a way to learn Rust myself, but I'm certainly more than a little rust-y on it since I haven't really touched it since then. |
Currently I'm in the middle of exams but I can have a look after they finish. |
Excellent. You're the best. Best of luck with your exams. :D |
|
Thank you for reporting. This is fixed in versions 6.0.0 and higher. 7bd2554 |
|
Many thanks! I tested and added the fix to my repo and all seems happy now. |
I take it that (at least)compiles on Fedora? I'll add it to my virtualbox for testing... EDIT: I'm trying to make it compile on Gentoo and NixOS, provided needed libs are already installed system-wide. Will PR after I make sure it works with a bunch of projects that use it (yours is on list too) |
|
It worked here with rust/Cargo 1.77 on Fedora 39. I didn't try in an RPM spec, but it should work, AFAICT. I'll get a bugzilla request to get the Fedora package updated, if it hasn't already been submitted. |
According to GitHub depandabot this library now has a 9.8/10 vulnerability at the current version (5.101.0) as well as a 7.5/10 high.
Here are the CVEs:
CVE-2019-15548
CVE-2019-15547
Here's the corresponding Rust Advisory.
The text was updated successfully, but these errors were encountered: