Vulnerability in cbindgen due to dependency on an old clap release

Question

Vulnerability in cbindgen due to dependency on an old clap release

NuLL3rr0r opened this issue 8 months ago · comments

Simply running the following produces:

$ cargo audit

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── clap 3.2.25
    └── cbindgen 0.26.0
        └── mylib 0.0.0-git
            └── myguiapp 0.0.0-git

warning: 1 allowed warning found

It seems newer clap won't rely on atty. And also the advisory URL states:

atty is Unmaintained
A Pull Request with a fix has been provided over a year ago but the maintainer seems to be unreachable.

Last release of atty was almost 3 years ago.

Please bump to a version without dependency on atty.

ᴍᴀᴍᴀᴅᴏᴜ ʙᴀʙᴀᴇɪ · Answer 1 · Sat Nov 11 2023 04:01:09 GMT+0800 (China Standard Time)

According to clap's changelog v4.0.27 is the first release without atty as a dependency:

4.0.27 - 2022-11-24

Features
- Have Arg::value_parser accept Vec<impl Into<PossibleValue>>
- Implement Display and FromStr for ColorChoice

Fixes
- Remove soundness issue by switching from atty to is-terminal

diligence5087 · Answer 2 · Wed Dec 20 2023 20:44:09 GMT+0800 (China Standard Time)

Duplicate of #880 .