This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate inferno

Dependencies

(16 total, 1 possibly insecure)

CrateRequiredLatestStatus
 ahash^0.70.7.6up to date
 atty^0.20.2.14up to date
 crossbeam-utils^0.80.8.5up to date
 crossbeam-channel^0.50.5.1up to date
 dashmap^44.0.2up to date
 env_logger^0.90.9.0up to date
 indexmap^1.01.7.0up to date
 itoa^0.4.30.4.8up to date
 lazy_static^1.3.01.4.0up to date
 log^0.40.4.14up to date
 num_cpus^1.101.13.0up to date
 num-format^0.40.4.0up to date
 quick-xml^0.220.22.0up to date
 rgb ⚠️^0.8.130.8.29maybe insecure
 str_stack^0.10.1.0up to date
 structopt^0.30.3.25up to date

Dev dependencies

(7 total, all up-to-date)

CrateRequiredLatestStatus
 assert_cmd^22.0.2up to date
 criterion^0.30.3.5up to date
 libflate^11.1.1up to date
 maplit^1.0.11.0.2up to date
 pretty_assertions^11.0.0up to date
 rand^0.80.8.4up to date
 testing_logger^0.1.10.1.1up to date

Security Vulnerabilities

rgb: Allows viewing and modifying arbitrary structs as bytes

RUSTSEC-2020-0029

Affected versions of rgb crate allow viewing and modifying data of any type T wrapped in RGB<T> as bytes, and do not correctly constrain RGB<T> and other wrapper structures to the types for which it is safe to do so.

Safety violation possible for a type wrapped in RGB<T> and similar wrapper structures:

  • If T contains padding, viewing it as bytes may lead to exposure of contents of uninitialized memory.
  • If T contains a pointer, modifying it as bytes may lead to dereferencing of arbitrary pointers.
  • Any safety and/or validity invariants for T may be violated.

The issue was resolved by requiring all types wrapped in structures provided by RGB crate to implement an unsafe marker trait.