-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Critical 9.8/10 vulnerability for this library #209
Comments
Thanks for sharing. I'd love a PR to fix each of these. For the latter one, the fn has been deprecated. For the former, there's been a comment there for a while, since the code was suspected to be incorrect. I haven't used Rust much in years, so I'm hoping someone else can pick this up. Perhaps @Ella-0? |
I'd love to help, but the repo I linked to in my OP represents the current extent of my own Rust knowledge. I did that pancurses/ncurses-rs project a few years ago as a way to learn Rust myself, but I'm certainly more than a little rust-y on it since I haven't really touched it since then. |
Currently I'm in the middle of exams but I can have a look after they finish. |
Excellent. You're the best. Best of luck with your exams. :D |
Thank you for reporting. This is fixed in versions 6.0.0 and higher. 7bd2554 |
Many thanks! I tested and added the fix to my repo and all seems happy now. |
I take it that (at least)compiles on Fedora? I'll add it to my virtualbox for testing... EDIT: I'm trying to make it compile on Gentoo and NixOS, provided needed libs are already installed system-wide. Will PR after I make sure it works with a bunch of projects that use it (yours is on list too) |
It worked here with rust/Cargo 1.77 on Fedora 39. I didn't try in an RPM spec, but it should work, AFAICT. I'll get a bugzilla request to get the Fedora package updated, if it hasn't already been submitted. |
According to GitHub depandabot this library now has a 9.8/10 vulnerability at the current version (5.101.0) as well as a 7.5/10 high.
Here are the CVEs:
CVE-2019-15548
CVE-2019-15547
Here's the corresponding Rust Advisory.
The text was updated successfully, but these errors were encountered: