This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate cursive

Dependencies

(24 total, 13 outdated, 3 insecure, 1 possibly insecure)

CrateRequiredLatestStatus
 bear-lib-terminal^2.0.02.0.0up to date
 cfg-if^0.1.91.0.0out of date
 chrono ⚠️^0.4.70.4.37maybe insecure
 crossbeam-channel^0.3.90.5.12out of date
 crossterm^0.10.10.27.0out of date
 enum-map^0.6.02.7.3out of date
 enumset^0.4.01.1.3out of date
 hashbrown^0.5.00.14.3out of date
 lazy_static^1.3.01.4.0up to date
 libc^0.2.600.2.153up to date
 log^0.4.80.4.21up to date
 maplit^1.0.11.0.2up to date
 ncurses ⚠️^5.99.05.101.0insecure
 num^0.2.00.4.1out of date
 owning_ref ⚠️^0.4.00.4.1insecure
 pancurses ⚠️^0.16.10.17.0insecure
 pulldown-cmark^0.5.30.10.0out of date
 signal-hook^0.1.100.3.17out of date
 term_size^0.3.10.3.2up to date
 termion^1.5.33.0.0out of date
 toml^0.5.10.8.12out of date
 unicode-segmentation^1.3.01.11.0up to date
 unicode-width^0.1.50.1.11up to date
 xi-unicode^0.2.00.3.0out of date

Dev dependencies

(3 total, 1 outdated)

CrateRequiredLatestStatus
 atty^0.2.130.2.14up to date
 pretty-bytes^0.2.20.2.2up to date
 rand^0.7.00.8.5out of date

Security Vulnerabilities

pancurses: Format string vulnerabilities in `pancurses`

RUSTSEC-2019-0005

pancurses::mvprintw and pancurses::printw passes a pointer from a rust &str to C, allowing hostile input to execute a format string attack, which trivially allows writing arbitrary data to stack memory.

ncurses: Buffer overflow and format vulnerabilities in functions exposed without unsafe

RUSTSEC-2019-0006

ncurses exposes functions from the ncurses library which:

  • Pass buffers without length to C functions that may write an arbitrary amount of data, leading to a buffer overflow. (instr, mvwinstr, etc)
  • Passes rust &str to strings expecting C format arguments, allowing hostile input to execute a format string attack, which trivially allows writing arbitrary data to stack memory (functions in the printw family).

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

owning_ref: Multiple soundness issues in `owning_ref`

RUSTSEC-2022-0040

  • OwningRef::map_with_owner is unsound and may result in a use-after-free.
  • OwningRef::map is unsound and may result in a use-after-free.
  • OwningRefMut::as_owner and OwningRefMut::as_owner_mut are unsound and may result in a use-after-free.
  • The crate violates Rust's aliasing rules, which may cause miscompilations on recent compilers that emit the LLVM noalias attribute.

safer_owning_ref is a replacement crate which fixes these issues. No patched versions of the original crate are available, and the maintainer is unresponsive.