aws
RUSTSEC-2021-0145: Potential unaligned read
Potential unaligned read
| Details | |
|---|---|
| Status | unsound |
| Package | atty |
| Version | 0.2.14 |
| URL | https://github.com/softprops/atty/issues/50 |
| Date | 2021-07-04 |
On windows, atty dereferences a potentially unaligned pointer.
In practice however, the pointer won't be unaligned unless a custom global allocator is used.
In particular, the System allocator on windows uses HeapAlloc, which guarantees a large enough alignment.
atty is Unmaintained
A Pull Request with a fix has been provided over a year ago but the maintainer seems to be unreachable.
Last release of atty was almost 3 years ago.
Possible Alternative(s)
The below list has not been vetted in any way and may or may not contain alternatives;
- std::io::IsTerminal - Stable since Rust 1.70.0
- is-terminal - Standalone crate supporting Rust older than 1.70.0
See advisory page for additional details.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
We should migrate away from structopt and use clap directly.
cargo tree output shows that atty is only used in tests and comes from two dependencies. structopt has a 2.33 dependency on clap which is preventing us from updating clap. However, structopt is in maintenance mode and clap is the recommended path forward.
➜ s2n-quic git:(main) cargo tree -p atty -i
atty v0.2.14
├── clap v2.34.0
│ └── structopt v0.3.26
│ ├── s2n-quic-qns v0.1.0 (/Users/apoorvko/projects/s2n-quic/quic/s2n-quic-qns)
│ └── s2n-quic-sim v0.1.0 (/Users/apoorvko/projects/s2n-quic/quic/s2n-quic-sim)
└── criterion v0.4.0
└── s2n-quic-bench v0.1.0 (/Users/apoorvko/projects/s2n-quic/quic/s2n-quic-bench)
