rodio icon indicating copy to clipboard operation
rodio copied to clipboard
verified publisher icon RustAudio

Minimp3 has a security vunerability

Open yara-blue opened this issue 5 months ago • 4 comments

https://github.com/RustAudio/rodio/security/dependabot/2

Impact on rodio: low Our default is symphonia which has no such vulnerabilities.

Possible resolutions

  • remove minimp3, symphonia covers all use-cases. The only reason to keep minimp3 is licensing
  • fix minimp3 by removing its dependency on slice-ring-buffer. Note I have an old fork of minimp3 which implements seeking. Might be worth fixing it there and then adding seeking support to minimp3 in rodio: https://github.com/dvdsk/minimp3-rs

yara-blue avatar Jul 19 '25 13:07 yara-blue

I vote for removing minimp3. Any community effort is better spent on improving pure Rust Symphonia than reviving C-based minimp3.

roderickvd avatar Aug 03 '25 20:08 roderickvd

https://github.com/germangb/minimp3-rs

Minimp3 is maintained again and the issue is on their agenda. Lets wait for fix.

yara-blue avatar Aug 10 '25 22:08 yara-blue

The recent maintainer has added in https://github.com/germangb/minimp3-rs/pull/51:

[!CAUTION] This crate is not recommended for new projects due to multiple memory unsoundness issues and the availability of mature, safe Rust alternatives. Consider using fully Rust-based libraries instead, such as:

So maybe move to nanomp3.

roderickvd avatar Sep 26 '25 21:09 roderickvd

I vote for removing minimp3. Any community effort is better spent on improving pure Rust Symphonia than reviving C-based minimp3.

I agree with this now. Lets just rip it out.

yara-blue avatar Sep 27 '25 09:09 yara-blue