Deps.rs

tofubert / sechat-rs

[![dependency status](https://deps.rs/repo/github/tofubert/sechat-rs/status.svg)](https://deps.rs/repo/github/tofubert/sechat-rs)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate sechat-rs

Dependencies

(32 total, 1 outdated, 3 possibly insecure)

CrateRequiredLatestStatus
 reqwest^0.120.12.8up to date
 tokio ⚠️^11.40.0maybe insecure
 serde^1.01.0.210up to date
 serde_json^1.01.0.128up to date
 jzon*0.12.5up to date
 base64 ⚠️*0.22.1maybe insecure
 toml*0.8.19up to date
 toml-example^0.11.10.12.0out of date
 ratatui^0.280.28.1up to date
 crossterm*0.28.1up to date
 tui-tree-widget^0.220.22.0up to date
 futures*0.3.31up to date
 chrono ⚠️*0.4.38maybe insecure
 num-traits*0.2.19up to date
 num-derive*0.4.2up to date
 log*0.4.22up to date
 log4rs^1.31.3.0up to date
 notify-rust^4.114.11.3up to date
 itertools*0.13.0up to date
 clap^4.5.164.5.20up to date
 strum^0.260.26.3up to date
 strum_macros^0.260.26.4up to date
 textwrap^0.16.10.16.1up to date
 etcetera^0.8.00.8.0up to date
 better-panic^0.3.00.3.0up to date
 color-eyre^0.6.30.6.3up to date
 human-panic^2.0.12.0.2up to date
 libc^0.2.1580.2.159up to date
 strip-ansi-escapes^0.2.00.2.0up to date
 tracing^0.1.400.1.40up to date
 cfg-if^1.0.01.0.0up to date
 tui-textarea^0.6.10.6.1up to date

Security Vulnerabilities

base64: Integer overflow leads to heap-based buffer overflow in encode_config_buf

RUSTSEC-2017-0004

Affected versions of this crate suffered from an integer overflow bug when calculating the size of a buffer to use when encoding base64 using the encode_config_buf and encode_config functions. If the input string was large, this would cause a buffer to be allocated that was too small. Since this function writes to the buffer using unsafe code, it would allow an attacker to write beyond the buffer, causing memory corruption and possibly the execution of arbitrary code.

This flaw was corrected by using checked arithmetic to calculate the size of the buffer.

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

tokio: reject_remote_clients Configuration corruption

RUSTSEC-2023-0001

On Windows, configuring a named pipe server with pipe_mode will force ServerOptions::reject_remote_clients as false.

This drops any intended explicit configuration for the reject_remote_clients that may have been set as true previously.

The default setting of reject_remote_clients is normally true meaning the default is also overridden as false.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);