RUSTSEC-2019-0006: Buffer overflow and format vulnerabilities in functions exposed without unsafe

Question

Closed this issue 3 years ago · 2 comments

Buffer overflow and format vulnerabilities in functions exposed without unsafe

ncurses exposes functions from the ncurses library which:

Pass buffers without length to C functions that may write an arbitrary amount of
data, leading to a buffer overflow. (instr, mvwinstr, etc)
Passes rust &str to strings expecting C format arguments, allowing hostile
input to execute a format string attack, which trivially allows writing
arbitrary data to stack memory (functions in the printw family).

See advisory page for additional details.

Answer 1 · 2022-05-22T14:13:18.000Z

I wonder why this issue has been closed? I don't see any mention of it being fixed?

Answer 2 · 2022-05-22T15:08:06.000Z

switched from ncurses to termion for the TUI