Open
Bug 1973225
Opened 1 day ago
Updated 21 hours ago
cargo-audit: Crate depends on a vulnerable version of self_cell.
Categories
(Core :: Internationalization: Localization, task)
Core
Internationalization: Localization
Tracking
()
ASSIGNED
People
(Reporter: Sylvestre, Assigned: Sylvestre)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
Advisory:
Insufficient covariance check makes self_cell unsound
Package: self_cell
ID: RUSTSEC-2023-0070
Report date: 2023-11-10
All public versions prior to `1.02` used an insufficient check to ensure that
users correctly marked the dependent type as either `covariant` or
`not_covariant`. This allowed users to mark a dependent as covariant even though
its type was not covariant but invariant, for certain invariant types involving
trait object lifetimes. One example for such a dependent type is `type
Dependent<'a> = RefCell<Box<dyn fmt::Display + 'a>>`. Such a type allowed
unsound usage in purely safe user code that leads to undefined behavior. The
patched versions now produce a compile time error if such a type is marked as
`covariant`.
URL: https://github.com/Voultapher/self_cell/issues/49
Patched versions: [
">=0.10.3, <1.0.0",
">=1.0.2"
]
Package info: {
"name": "self_cell",
"version": "0.10.2",
"source": "registry+https://github.com/rust-lang/crates.io-index",
"checksum": "1ef965a420fe14fdac7dd018862966a4c14094f900e1650bbc71ddd7d580c8af",
"replace": null
} (cargo-audit)
|
||
Comment 1•23 hours ago
|
||
Looks like this is part of the dependences of fluent-bundle.
Component: Lint and Formatting → Internationalization: Localization
Product: Developer Infrastructure → Core
|
Assignee | |
Comment 2•21 hours ago
|
||
|
||
Updated•21 hours ago
|
Assignee: nobody → sledru
Status: NEW → ASSIGNED
You need to log in
before you can comment on or make changes to this bug.
Description
•