advisory-db
advisory-db copied to clipboard
rustsec
Integer overflow in xml-rs crate
Upstream issues:
- https://github.com/netvl/xml-rs/issues/210
- https://github.com/netvl/xml-rs/issues/204
The owners per crates would suggest @netvl @tomaka own this crate
I wonder whether people should be using this crate ?
Seems the crate has been duly abandoned if going by these -
https://github.com/netvl/xml-rs/issues/219 https://github.com/netvl/xml-rs/pull/218
@oherrala probably best action may be to file informational = unmaintained
There are 15,524,101 downloads total ~30k daily downloads
Nonetheless the crate forbids any unsafe code and there isn't many dependencies to go.
Nonetheless any parsing crate where maintainers may be unresponsive I would like to know the maintenance status to make informed decision and this is probably worthwhile to flag up to nudge anyone using it - especially since there are concerns around parsing that has gone without fixes and may be used in a context where it is necessary to trust the parser.
It would have been nice if there would have been feedback from the maintainer as to the patches / fixes - do we know any alternative crate we can recommend as actionable fix ?
It'd definitely be good to file an unmaintained crate advisory if the crate has been abandoned.
Otherwise this is a sort of tricky issue in that we don't want to file advisories for every last potential panic, but the one exception to that has been panics in format parsers that operate on untrusted data (potentially sourced via the network) as that becomes a network DoS vector (not sure we have a written policy for that in particular anywhere).
My latest contribution is from April 2015. I don't think I can be considered a maintainer.
@tomaka maybe there is someone who wants to take over it or smth considering it has a lot of use ? -
You might be also potentially able to transfer the crate ownership to someone who could maintain it as you're still listed as owner of the crate in crates.io - that would be most definitely very helpful I would think.
Hello,
I'm the owner of that crate, and it is indeed unmaintained because I haven't had any capacity to do it for a very long time. I would very much like to pass ownership of it to someone else.
That being said, my current employer requires any work on any open-source projects to be approved (I'm not even 100% sure it is okay for me to answer here), so even if I find someone, it will take some time for me to get an approval to do the necessary transfer work — for another project, it took about 3 months from start to end.
Still, if there is anyone willing to take ownership and maintenance work, I will be glad to do it.
Cool - thanks a lot for taking the time to letting us know -
We don't usually flag advisories around where the maintainer is reachable - the advisory would be for anything totally unreachable
Would you nonetheless be okay for us to do unmaintained informational advisory so it can perhaps make someone step up from the community and where you might be able to start the process ?
Cheers
Since I'm the only owner of the repository right now, no one else will be able to do anything with the code except me, and I can't as well without an approval. I will start the process of approval for transferring the repo to someone else (I have just got a person interested in it), but it will take time. I don't think I entirely understand your process, so feel free to do whatever you think is appropriate, given what I just said)
Ok. We'll file as unmaintained in https://github.com/rustsec/advisory-db/pull/1356
The new maintainer - if any - can send a PR to set the advisory withdrawn when back to maintained status.
Thanks a lot!