Add hopper face driver to hopper project and add speaking animation #267
Security advisories found
3 advisory(ies), 6 unmaintained, 3 other
Details
Vulnerabilities
RUSTSEC-2021-0119
Out-of-bounds write in nix::unistd::getgrouplist
| Details | |
|---|---|
| Package | nix |
| Version | 0.18.0 |
| URL | nix-rust/nix#1541 |
| Date | 2021-09-27 |
| Patched versions | ^0.20.2,^0.21.2,^0.22.2,>=0.23.0 |
| Unaffected versions | <0.16.0 |
On certain platforms, if a user has more than 16 groups, the
nix::unistd::getgrouplist function will call the libc getgrouplist
function with a length parameter greater than the size of the buffer it
provides, resulting in an out-of-bounds write and memory corruption.
The libc getgrouplist function takes an in/out parameter ngroups
specifying the size of the group buffer. When the buffer is too small to
hold all of the requested user's group memberships, some libc
implementations, including glibc and Solaris libc, will modify ngroups
to indicate the actual number of groups for the user, in addition to
returning an error. The version of nix::unistd::getgrouplist in nix
0.16.0 and up will resize the buffer to twice its size, but will not
read or modify the ngroups variable. Thus, if the user has more than
twice as many groups as the initial buffer size of 8, the next call to
getgrouplist will then write past the end of the buffer.
The issue would require editing /etc/groups to exploit, which is usually
only editable by the root user.
RUSTSEC-2021-0119
Out-of-bounds write in nix::unistd::getgrouplist
| Details | |
|---|---|
| Package | nix |
| Version | 0.20.0 |
| URL | nix-rust/nix#1541 |
| Date | 2021-09-27 |
| Patched versions | ^0.20.2,^0.21.2,^0.22.2,>=0.23.0 |
| Unaffected versions | <0.16.0 |
On certain platforms, if a user has more than 16 groups, the
nix::unistd::getgrouplist function will call the libc getgrouplist
function with a length parameter greater than the size of the buffer it
provides, resulting in an out-of-bounds write and memory corruption.
The libc getgrouplist function takes an in/out parameter ngroups
specifying the size of the group buffer. When the buffer is too small to
hold all of the requested user's group memberships, some libc
implementations, including glibc and Solaris libc, will modify ngroups
to indicate the actual number of groups for the user, in addition to
returning an error. The version of nix::unistd::getgrouplist in nix
0.16.0 and up will resize the buffer to twice its size, but will not
read or modify the ngroups variable. Thus, if the user has more than
twice as many groups as the initial buffer size of 8, the next call to
getgrouplist will then write past the end of the buffer.
The issue would require editing /etc/groups to exploit, which is usually
only editable by the root user.
RUSTSEC-2023-0065
Tungstenite allows remote attackers to cause a denial of service
| Details | |
|---|---|
| Package | tungstenite |
| Version | 0.18.0 |
| URL | snapview/tungstenite-rs#376 |
| Date | 2023-09-25 |
| Patched versions | >=0.20.1 |
The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause
a denial of service (minutes of CPU consumption) via an excessive length of an
HTTP header in a client handshake. The length affects both how many times a parse
is attempted (e.g., thousands of times) and the average amount of data for each
parse attempt (e.g., millions of bytes).
Warnings
RUSTSEC-2020-0168
mach is unmaintained
| Details | |
|---|---|
| Status | unmaintained |
| Package | mach |
| Version | 0.1.2 |
| URL | fitzgen/mach#63 |
| Date | 2020-07-14 |
Last release was almost 4 years ago.
Maintainer(s) seem to be completely unreachable.
Possible Alternative(s)
These may or may not be suitable alternatives and have not been vetted in any way;
- mach2 - direct fork
RUSTSEC-2021-0150
ncollide3d is unmaintained
| Details | |
|---|---|
| Status | unmaintained |
| Package | ncollide3d |
| Version | 0.33.0 |
| URL | https://github.com/dimforge/ncollide |
| Date | 2021-01-29 |
The maintainer has advised that this crate is passively-maintained and that it
is being superseded by the Parry project.
RUSTSEC-2020-0016
net2crate has been deprecated; usesocket2instead
| Details | |
|---|---|
| Status | unmaintained |
| Package | net2 |
| Version | 0.2.39 |
| URL | deprecrated/net2-rs@3350e38 |
| Date | 2020-05-01 |
The net2 crate has been deprecated
and users are encouraged to considered socket2 instead.
RUSTSEC-2021-0140
rusttype is Unmaintained
| Details | |
|---|---|
| Status | unmaintained |
| Package | rusttype |
| Version | 0.8.3 |
| URL | https://gitlab.redox-os.org/redox-os/rusttype/-/issues/148 |
| Date | 2021-04-01 |
The maintainer has advised this crate is deprecated and will not
receive any maintenance.
The maintainer has further advised to migrate over to ab_glyph.
Last release seems to have been over two years ago.
Possible Alternative(s)
The below list has not been vetted in any way and may or may not contain alternatives;
RUSTSEC-2021-0140
rusttype is Unmaintained
| Details | |
|---|---|
| Status | unmaintained |
| Package | rusttype |
| Version | 0.9.3 |
| URL | https://gitlab.redox-os.org/redox-os/rusttype/-/issues/148 |
| Date | 2021-04-01 |
The maintainer has advised this crate is deprecated and will not
receive any maintenance.
The maintainer has further advised to migrate over to ab_glyph.
Last release seems to have been over two years ago.
Possible Alternative(s)
The below list has not been vetted in any way and may or may not contain alternatives;
RUSTSEC-2020-0020
stb_truetypecrate has been deprecated; usettf-parserinstead
| Details | |
|---|---|
| Status | unmaintained |
| Package | stb_truetype |
| Version | 0.3.1 |
| URL | https://gitlab.redox-os.org/redox-os/stb_truetype-rs/-/commit/f1f5be4794e87bfc80a4255bc3f23ed75dd77645 |
| Date | 2020-04-18 |
This crate was maintained for use in rusttype which has switched to use ttf-parser