advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard
verified publisher icon rustsec

Add advisory for unsound problems in `workflow-core`

Open safe4u opened this issue 1 year ago • 5 comments

The util functions buffer_as_slice and buffer_as_slice_mut in crate workflow-core could create illegal slice. The details are described in https://github.com/workflow-rs/workflow-rs/issues/11

safe4u avatar Jul 07 '24 03:07 safe4u

Still unsound in 0.18.0. Could you update the version in the advisory?

kornelski avatar Dec 04 '24 12:12 kornelski

Thanks for all

pduhandeh-collab avatar Nov 27 '25 19:11 pduhandeh-collab

@aspect @surinder83singh can you talk about the maintenance status of the workflow-core crate? If it's unmaintained, it would be good to communicate this.

djc avatar Nov 28 '25 09:11 djc

Thanks for tagging. This is great.

No, the crate is very much maintained and is critical to some well maintained mainstream applications.

This is my fault as I have basically disregarded this assuming that this is AI auto-detection and this crate contains general-purpose toolbox of different handy utils ... not really used by anyone (and apparently broken :)). They just sit in one of the submodules.

I am unfortunately swamped and can't look at this right now or in the coming days. There is a maintenance pass that is needed in related crates (it's a large framework). These functions should be just killed off.

I will add this to my general todo list and address this eventually.

aspect avatar Dec 04 '25 00:12 aspect

@aspect okay, so is it okay if we just publish this advisory without fixed versions for now? We can always add those later as they become available.

djc avatar Dec 04 '25 12:12 djc