advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard

Published 20 hours ago verified publisher icon rustsec

`aliasable` Unsound

Open steffahn opened this issue 2 years ago • 1 comments

See this issue: https://github.com/avitex/rust-aliasable/issues/3

The issue closed and “fixed”, but the fix is not published yet (for more than a year now). Only affected version at the moment: 0.1.3 (previous versions didn’t have the relevant API yet), which is currently the latest version.

I guess, in case no-one else kindly wants to pick this up, I will eventually have to read through the procedure of how to do a PR for the vulnerability here myself 😁

steffahn avatar Oct 16 '22 02:10 steffahn

Hi many tanks for the contribution and proactively asking the maintainer for the fixed release -

Would love to have that as actionable fix before merging a PR :)

Would be really lovely if you could send a PR for this! :heart:

It would be - e.g. if 0.1.4 is the patched version and everything below 0.1.3 are unaffected whilst leaving 0.1.3 flagged:

[versions]
patched = [">= 0.1.4"]
unaffected = ["< 0.1.3"]

Here's couple of informational = "unsound" PR's -

  • https://github.com/rustsec/advisory-db/pull/1389/files - mozjpeg
  • https://github.com/rustsec/advisory-db/pull/1304/files - crossbeam-utils
  • https://github.com/rustsec/advisory-db/pull/1366/files - iana-time-zone
  • https://github.com/rustsec/advisory-db/pull/1231/files - some crossbeam family of crates

pinkforest avatar Oct 16 '22 06:10 pinkforest