[Pkg-rust-maintainers] Bug#972100: CVE-2019-15547 CVE-2019-15548 (rust-ncurses)
peter green
plugwash at p10link.net
Wed Oct 14 04:54:08 BST 2020
I just looked at this issue.
rust-ncurses is a thin wrapper around ncurses. It exposes unsafe (in the rust sense) C
APIs to safe rust code. The rust security team consider this to be a vulnerability.
There is more discussion of this issue at https://github.com/jeaye/ncurses-rs/issues/188
the fix would be to mark most if not all of the functions exposed by the library as
unsafe and release a new major version of the library. Any reverse dependencies would
then need to be adapted to work with the new unsafe functions. The upstream maintainer
has indicated they would be accepting of a pull request but is not interested in doing
the work themselves.
There is also another wrapper called ncursesw which seems to be better maintained
and offers both low-level wrappers (correctly marked as unsafe) and higher-level
wrappers (some of which are safe). It is not packaged in Debian.
I looked to see what if-any packages in Debian use rust-ncurses and I did not find
any in either buster, bullseye or sid. Is there a reason to keep this package around?
More information about the Pkg-rust-maintainers
mailing list