[Pkg-rust-maintainers] Bug#972100: Bug#972100: CVE-2019-15547 CVE-2019-15548 (rust-ncurses)

Alexander Kjäll alexander.kjall at gmail.com
Wed Oct 14 07:23:32 BST 2020 

Hi

I'm slowly working my way towards packaging ripasso, which doesn't use
ncurses-rs due to the above security problems. But it does use cursive
( https://crates.io/crates/cursive ) which have ncurses-rs as an
optional dependency.

Currently the rust packaging system in debian requires all optional
dependencies to be present in order to build the package.

I have suggested to the cursive maintainer to remove ncurses-rs due to
the above security concerns here (
https://github.com/gyscos/cursive/issues/488 ) but I suspect that this
would be considered quite a disruptive change, I have also started to
rewrite it to use ncursesw but haven't had the time/skill to finish
that work yet.

I'm not opposed to removing it, as that kind of unmaintained code with
known security problems are exploits waiting to happen. But it would
also require a lot of work to happen before we can package anything
that depends on cursive into debian.

best regards
Alexander Kjäll

Den ons 14 okt. 2020 kl 05:57 skrev peter green <plugwash at p10link.net>:
>
> I just looked at this issue.
>
> rust-ncurses is a thin wrapper around ncurses. It exposes unsafe (in the rust sense) C
> APIs to safe rust code. The rust security team consider this to be a vulnerability.
>
> There is more discussion of this issue at https://github.com/jeaye/ncurses-rs/issues/188
> the fix would be to mark most if not all of the functions exposed by the library as
> unsafe and release a new major version of the library. Any reverse dependencies would
> then need to be adapted to work with the new unsafe functions. The upstream maintainer
> has indicated they would be accepting of a pull request but is not interested in doing
> the work themselves.
>
> There is also another wrapper called ncursesw which seems to be better maintained
> and offers both low-level wrappers (correctly marked as unsafe) and higher-level
> wrappers (some of which are safe). It is not packaged in Debian.
>
> I looked to see what if-any packages in Debian use rust-ncurses and I did not find
> any in either buster, bullseye or sid. Is there a reason to keep this package around?
>
> _______________________________________________
> Pkg-rust-maintainers mailing list
> Pkg-rust-maintainers at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-rust-maintainers

More information about the Pkg-rust-maintainers mailing list