RUSTSEC-2023-0020 (unsound) on 2023-03-12: const-cstr is Unmaintained

Last release was about five years ago.

The maintainer(s) have been unreachable to respond to any issues that may or may not include security issues.

The repository is now archived and there is no security policy in place to contact the maintainer(s) otherwise.

No direct fork exist.

const-cstr is Unsound

The crate violates the safety contract of ffi::CStr::from_bytes_with_nul_unchecked used in ConstCStr::as_cstr

No interior nul bytes checking is done either by the constructor or the canonical macro to create the ConstCStr

const-cstr Panic

Additionally the crate may cause runtime panics if statically compiled and ran with any untrusted data that is not nul-terminated.

This is however unlikely but the the crate should not be used for untrusted data in context where panic may create a DoS vector.

Possible Alternatives

The below may or may not provide alternative(s)

These reviews are from cargo-vet. To add your review, set up cargo-vet and submit your URL to its registry.

cargo-vet does not verify reviewers' identity. You have to fully trust the source the audits are from.

unknown

May have been packaged automatically without a review

safe-to-run

This crate can be compiled, run, and tested on a local workstation or in controlled automation without surprising consequences. More…


Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.

To review the actual code of the crate, it's best to use cargo crev open const-cstr. Alternatively, you can download the tarball of const-cstr v0.3.0 or view the source online.