advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard
verified publisher icon rustsec

`rmp-serde` Unsound

Open pinkforest opened this issue 3 years ago • 7 comments

https://github.com/3Hren/msgpack-rust/issues/305 https://gist.github.com/Lucretiel/5deaf285f06a85056aa76276abf9bd77

@Lucretiel would you mind contributing a PR on informational = "unsound" advisory on this ?

Do we know what release these Raw deprecations ended up into ?

pinkforest avatar Sep 27 '22 00:09 pinkforest

They were deprecated (but not yet removed) in 1.1.0

Lucretiel avatar Sep 27 '22 03:09 Lucretiel

Sure, I can start a report; is there a guide for how to write them?

Lucretiel avatar Sep 27 '22 03:09 Lucretiel

@kornelski just wondering re: release for rmp-serde w/ removed Raw ? We can also mention the deprecation. Thanks

pinkforest avatar Sep 27 '22 03:09 pinkforest

@Lucretiel That would be lovely !

You can send a pull request, create crates/rmp-serde/RUSTSEC-0000-0000.md

For an example for unsound: https://github.com/rustsec/advisory-db/pull/1389/files

For the date use when you reported the issue originally - it's backdated

Cheers

pinkforest avatar Sep 27 '22 03:09 pinkforest

It appears that Raw itself wasn't deprecated, but from_utf8 was. There's still potential unsoundness in the serialize -> deserialize path. I haven't seen any justification for why type exists in the first place so it remains my position that it should be deprecated and removed entirely.

Lucretiel avatar Sep 27 '22 03:09 Lucretiel

Cool - yeah if we could please document all those different vectors despite them being deprecated so the user will have informed choice on which APIs to use. Cheers

pinkforest avatar Sep 27 '22 03:09 pinkforest

Fixed in rmp-serde 1.1.1

kornelski avatar Sep 27 '22 12:09 kornelski