pancurses::mvprintw
and pancurses::printw
passes a pointer from a rust &str
to C,
allowing hostile input to execute a format string attack, which trivially allows writing
arbitrary data to stack memory.
cursive 0.13.0
This project contains known security vulnerabilities. Find detailed information at the bottom.
cursive
(24 total, 13 outdated, 3 insecure, 1 possibly insecure)
Crate | Required | Latest | Status |
---|---|---|---|
bear-lib-terminal | ^2.0.0 | 2.0.0 | up to date |
cfg-if | ^0.1.9 | 1.0.0 | out of date |
chrono ⚠️ | ^0.4.7 | 0.4.37 | maybe insecure |
crossbeam-channel | ^0.3.9 | 0.5.12 | out of date |
crossterm | ^0.10.1 | 0.27.0 | out of date |
enum-map | ^0.6.0 | 2.7.3 | out of date |
enumset | ^0.4.0 | 1.1.3 | out of date |
hashbrown | ^0.5.0 | 0.14.3 | out of date |
lazy_static | ^1.3.0 | 1.4.0 | up to date |
libc | ^0.2.60 | 0.2.153 | up to date |
log | ^0.4.8 | 0.4.21 | up to date |
maplit | ^1.0.1 | 1.0.2 | up to date |
ncurses ⚠️ | ^5.99.0 | 5.101.0 | insecure |
num | ^0.2.0 | 0.4.1 | out of date |
owning_ref ⚠️ | ^0.4.0 | 0.4.1 | insecure |
pancurses ⚠️ | ^0.16.1 | 0.17.0 | insecure |
pulldown-cmark | ^0.5.3 | 0.10.0 | out of date |
signal-hook | ^0.1.10 | 0.3.17 | out of date |
term_size | ^0.3.1 | 0.3.2 | up to date |
termion | ^1.5.3 | 3.0.0 | out of date |
toml | ^0.5.1 | 0.8.12 | out of date |
unicode-segmentation | ^1.3.0 | 1.11.0 | up to date |
unicode-width | ^0.1.5 | 0.1.11 | up to date |
xi-unicode | ^0.2.0 | 0.3.0 | out of date |
(3 total, 1 outdated)
Crate | Required | Latest | Status |
---|---|---|---|
atty | ^0.2.13 | 0.2.14 | up to date |
pretty-bytes | ^0.2.2 | 0.2.2 | up to date |
rand | ^0.7.0 | 0.8.5 | out of date |
pancurses
: Format string vulnerabilities in `pancurses`pancurses::mvprintw
and pancurses::printw
passes a pointer from a rust &str
to C,
allowing hostile input to execute a format string attack, which trivially allows writing
arbitrary data to stack memory.
ncurses
: Buffer overflow and format vulnerabilities in functions exposed without unsafencurses
exposes functions from the ncurses library which:
instr
, mvwinstr
, etc)printw
family).chrono
: Potential segfault in `localtime_r` invocationsUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
No workarounds are known.
owning_ref
: Multiple soundness issues in `owning_ref`OwningRef::map_with_owner
is unsound and may result in a use-after-free.OwningRef::map
is unsound and may result in a use-after-free.OwningRefMut::as_owner
and OwningRefMut::as_owner_mut
are unsound and may result in a use-after-free.noalias
attribute.safer_owning_ref
is a replacement crate which fixes these issues.
No patched versions of the original crate are available, and the maintainer is unresponsive.