advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard

Published 20 hours ago verified publisher icon rustsec

`mbox` is unmaintained and unsound

Open Nugine opened this issue 2 years ago • 2 comments

https://github.com/kennytm/mbox https://crates.io/crates/mbox

Last commit on 2021-04-01 Last release on 2021-04-01 The author is not responding.

Unsoundness: https://github.com/kennytm/mbox/issues/23

2 reverse dependencies on crates.io 140 (transitive) dependents on github

Nugine avatar Mar 06 '23 17:03 Nugine

Re: Unsound

The fn is marked as unsafe - on which the issue was opened only yesterday.

To have the fn flagged as "unsound" the fn should be safe and where there may be a vector to exploit the unsafe behind it.

Re: Unmaintained

On which issue the author is not responding that would indicate that potential security fixes would not potentially be merged ?

Please note that our unmaintained advisories are reserved for:

A) Completely unreachable maintainers to the point it is reasonably clear that security issues would not be addressed or

B) Where the maintainer has explicitly advised that no maintenance is done at all - including potential security issues

pinkforest avatar Mar 08 '23 06:03 pinkforest

The fn is marked as unsafe - on which the issue was opened only yesterday.

mbox::MBox::new is marked as safe.

Call stack:

mbox::MBox::new (safe)
    mbox::internal::gen_malloc (safe)
        mbox::internal::malloc_aligned (unsafe, incorrect)

On which issue the author is not responding that would indicate that potential security fixes would not potentially be merged ?

  • https://github.com/kennytm/mbox/pull/18
  • https://github.com/kennytm/mbox/issues/20
  • https://github.com/kennytm/mbox/issues/21

The issues and PRs are hanging for over 15 months.

Nugine avatar Mar 08 '23 06:03 Nugine