Vulnerability in cbindgen due to dependency on an old clap release
NuLL3rr0r opened this issue · comments
Simply running the following produces:
$ cargo audit
Crate: atty
Version: 0.2.14
Warning: unsound
Title: Potential unaligned read
Date: 2021-07-04
ID: RUSTSEC-2021-0145
URL: https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── clap 3.2.25
└── cbindgen 0.26.0
└── mylib 0.0.0-git
└── myguiapp 0.0.0-git
warning: 1 allowed warning found
It seems newer clap won't rely on atty. And also the advisory URL states:
atty is Unmaintained
A Pull Request with a fix has been provided over a year ago but the maintainer seems to be unreachable.
Last release of atty was almost 3 years ago.
Please bump to a version without dependency on atty.
According to clap's changelog v4.0.27 is the first release without atty as a dependency:
4.0.27 - 2022-11-24
Features
- Have Arg::value_parser accept Vec<impl Into<PossibleValue>>
- Implement Display and FromStr for ColorChoice
Fixes
- Remove soundness issue by switching from atty to is-terminal
Duplicate of #880 .