Deps.rs

cursive 0.11.2

[![dependency status](https://deps.rs/crate/cursive/0.11.2/status.svg)](https://deps.rs/crate/cursive/0.11.2)

This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate cursive

Dependencies

(24 total, 15 outdated, 3 insecure, 1 possibly insecure)

CrateRequiredLatestStatus
 bear-lib-terminal^2.0.02.0.0up to date
 cfg-if^0.1.71.0.4out of date
 chrono ⚠️^0.4.60.4.42maybe insecure
 crossbeam-channel^0.3.80.5.15out of date
 crossterm^0.9.20.29.0out of date
 enum-map^0.5.02.7.3out of date
 enumset^0.3.171.1.10out of date
 hashbrown^0.2.10.16.1out of date
 lazy_static^1.3.01.5.0up to date
 libc^0.2.510.2.178up to date
 log^0.4.60.4.29up to date
 maplit^1.0.11.0.2up to date
 ncurses ⚠️^5.99.06.0.1insecure
 num^0.2.00.4.3out of date
 owning_ref ⚠️^0.4.00.4.1insecure
 pancurses ⚠️^0.16.10.17.0insecure
 pulldown-cmark^0.4.10.13.0out of date
 signal-hook^0.1.80.3.18out of date
 term_size^0.3.10.3.2up to date
 termion^1.5.14.0.6out of date
 toml^0.5.00.9.10+spec-1.1.0out of date
 unicode-segmentation^1.2.11.12.0up to date
 unicode-width^0.1.50.2.2out of date
 xi-unicode^0.1.00.3.0out of date

Dev dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 pretty-bytes^0.2.20.2.2up to date
 rand^0.6.50.9.2out of date

Security Vulnerabilities

pancurses: Format string vulnerabilities in `pancurses`

RUSTSEC-2019-0005

pancurses::mvprintw and pancurses::printw passes a pointer from a rust &str to C, allowing hostile input to execute a format string attack, which trivially allows writing arbitrary data to stack memory.

ncurses: Buffer overflow and format vulnerabilities in functions exposed without unsafe

RUSTSEC-2019-0006

ncurses exposes functions from the ncurses library which:

  • Pass buffers without length to C functions that may write an arbitrary amount of data, leading to a buffer overflow. (instr, mvwinstr, etc)
  • Passes rust &str to strings expecting C format arguments, allowing hostile input to execute a format string attack, which trivially allows writing arbitrary data to stack memory (functions in the printw family).

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

owning_ref: Multiple soundness issues in `owning_ref`

RUSTSEC-2022-0040

  • OwningRef::map_with_owner is unsound and may result in a use-after-free.
  • OwningRef::map is unsound and may result in a use-after-free.
  • OwningRefMut::as_owner and OwningRefMut::as_owner_mut are unsound and may result in a use-after-free.
  • The crate violates Rust's aliasing rules, which may cause miscompilations on recent compilers that emit the LLVM noalias attribute.

safer_owning_ref is a replacement crate which fixes these issues. No patched versions of the original crate are available, and the maintainer is unresponsive.