advisory-db

advisory-db copied to clipboard

[RUSTSEC-2020-0071](https://github.com/rustsec/advisory-db/blob/main/crates/time/RUSTSEC-2020-0071.md) lists a large number of platforms, some of this are unrecognized by `platforms` crate and end up being treated as unknown by RustSec tooling. For example, [the OSV exported...

Shnatsel

hexchat (all versions) is unsound (use-after-free)

3

The `hexchat` crate has `register_command` and `deregister_command` functions. When used together, they can cause an use-after-free. This seems to be the case with most if not all of the callback-related...

SoniEx2

interledger-rs Unmaintained & Username comparison

1

**Following-Up from here re:unicase** https://github.com/rustsec/advisory-db/pull/1176 https://github.com/interledger-rs/interledger-rs/pull/744 **Crates** interledger - 2,962 downloads - over 2 years ago - crates.io: 0.6.0, github: 1.0.0 (commit 3 years ago) ilp-cli - 665 downloads -...

pinkforest

Add unmaintained advisory for clipboard

3

This PR adds an maintenance warning about the `rust-clipboard` crate. It has not been updated in years and, at this point, two forks of it are the most viable alternatives....

complexspaces

cell-project is unsound

4

`cell-project` uses the wrong variance and is unsound.

SoniEx2

`ansi_term` appears unmaintained

1

A [maintenance inquiry](https://github.com/ogham/rust-ansi-term/issues/72) has been open since August 2021 without response. The most recent release & PR merge was in September 2019 and multiple PRs + issues are outstanding.

GeorgeHahn

`maligned::align_first` is unsound

8

The [`align_first`](https://docs.rs/maligned/latest/maligned/fn.align_first.html) function of the `maligned` crate manually allocates with an alignment larger than `T`, and then uses `Vec::from_raw_parts` on that allocation to get a `Vec`. As per the [stdlib...

kyrias

`interment`s `LocalIntern` type is unsound

1

The last update (0.6.0) of `interment` notes in its changelog that it removed `LocalIntern` because it can be used to cause use-after-free errors. https://github.com/droundy/internment/blob/9270a4d05c6c18f89e7ecfb2ad3fe52250f6385f/CHANGELOG.md The type is removed in 0.6.0...

jonasbb

Advisory format: affected only if a cargo feature is enabled

6

The advisory format doesn't have ability to express that a crate may be vulnerable only if an optional Cargo feature is enabled (e.g. when `cargo add halfbaddep` is fine, but...

kornelski

`safe-uninit` is unsound

19

[rust playground](https://play.rust-lang.org/?version=stable&mode=release&edition=2021&gist=aa4c2687f47d41e9873cc40982eb586a) the above example doesnt reproduce using the actual crate in question but its "safe" wrapper is literally just: `fn safe_uninit() -> Self { unsafe { MaybeUninit::uninit().assume_init() } }`

Hezuikn