Critical 9.8/10 vulnerability for this library
Closed this issue ยท 8 comments
According to GitHub depandabot this library now has a 9.8/10 vulnerability at the current version (5.101.0) as well as a 7.5/10 high.
Here are the CVEs:
CVE-2019-15548
CVE-2019-15547
Here's the corresponding Rust Advisory.
Thanks for sharing. I'd love a PR to fix each of these. For the latter one, the fn has been deprecated. For the former, there's been a comment there for a while, since the code was suspected to be incorrect. I haven't used Rust much in years, so I'm hoping someone else can pick this up. Perhaps @Ella-0?
I'd love to help, but the repo I linked to in my OP represents the current extent of my own Rust knowledge. I did that pancurses/ncurses-rs project a few years ago as a way to learn Rust myself, but I'm certainly more than a little rust-y on it since I haven't really touched it since then.
Perhaps @Ella-0?
Currently I'm in the middle of exams but I can have a look after they finish.
Perhaps @Ella-0?
Currently I'm in the middle of exams but I can have a look after they finish.
Excellent. You're the best. Best of luck with your exams. :D
Many thanks! I tested and added the fix to my repo and all seems happy now.
Many thanks! I tested and added the fix to my repo and all seems happy now.
I take it that (at least)compiles on Fedora? I'll add it to my virtualbox for testing...
EDIT: I'm trying to make it compile on Gentoo and NixOS, provided needed libs are already installed system-wide. Will PR after I make sure it works with a bunch of projects that use it (yours is on list too)
It does indeed compile on Fedora 39, if having ncurses-devel package.
It worked here with rust/Cargo 1.77 on Fedora 39. I didn't try in an RPM spec, but it should work, AFAICT. I'll get a bugzilla request to get the Fedora package updated, if it hasn't already been submitted.