Integer overflow in xml-rs crate #1121
Comments
|
The owners per crates would suggest @netvl @tomaka own this crate I wonder whether people should be using this crate ? Seems the crate has been duly abandoned if going by these - netvl/xml-rs#219 @oherrala probably best action may be to file There are 15,524,101 downloads total ~30k daily downloads Nonetheless the crate forbids any unsafe code and there isn't many dependencies to go. Nonetheless any parsing crate where maintainers may be unresponsive I would like to know the maintenance status to make informed decision and this is probably worthwhile to flag up to nudge anyone using it - especially since there are concerns around parsing that has gone without fixes and may be used in a context where it is necessary to trust the parser. It would have been nice if there would have been feedback from the maintainer as to the patches / fixes - do we know any alternative crate we can recommend as actionable fix ? |
|
It'd definitely be good to file an unmaintained crate advisory if the crate has been abandoned. Otherwise this is a sort of tricky issue in that we don't want to file advisories for every last potential panic, but the one exception to that has been panics in format parsers that operate on untrusted data (potentially sourced via the network) as that becomes a network DoS vector (not sure we have a written policy for that in particular anywhere). |
|
My latest contribution is from April 2015. I don't think I can be considered a maintainer. |
|
@tomaka maybe there is someone who wants to take over it or smth considering it has a lot of use ? - You might be also potentially able to transfer the crate ownership to someone who could maintain it as you're still listed as owner of the crate in crates.io - that would be most definitely very helpful I would think. |
|
Hello, I'm the owner of that crate, and it is indeed unmaintained because I haven't had any capacity to do it for a very long time. I would very much like to pass ownership of it to someone else. That being said, my current employer requires any work on any open-source projects to be approved (I'm not even 100% sure it is okay for me to answer here), so even if I find someone, it will take some time for me to get an approval to do the necessary transfer work — for another project, it took about 3 months from start to end. Still, if there is anyone willing to take ownership and maintenance work, I will be glad to do it. |
|
Cool - thanks a lot for taking the time to letting us know - We don't usually flag advisories around where the maintainer is reachable - the advisory would be for anything totally unreachable Would you nonetheless be okay for us to do unmaintained informational advisory so it can perhaps make someone step up from the community and where you might be able to start the process ? Cheers |
|
Since I'm the only owner of the repository right now, no one else will be able to do anything with the code except me, and I can't as well without an approval. I will start the process of approval for transferring the repo to someone else (I have just got a person interested in it), but it will take time. I don't think I entirely understand your process, so feel free to do whatever you think is appropriate, given what I just said) |
|
Ok. We'll file as unmaintained in #1356 The new maintainer - if any - can send a PR to set the advisory withdrawn when back to maintained status. Thanks a lot! |
The xml-rs crate used by serde-xml-rs seems to be unmaintained [1, 2] and has received an active RUSTSEC advisory [3] due to unfixed parsing issues [4]. Luckily, XML usage in the crates here is minimal and can be one-to-one migrated to the recommended quick-xml [5]. The download stats on crates.io show that quick-xml is currently being favoured. [1] netvl/xml-rs#219 [2] RReverser/serde-xml-rs#180 [3] https://rustsec.org/advisories/RUSTSEC-2022-0048 [4] rustsec/advisory-db#1121 [5] https://crates.io/crates/quick-xml
Upstream issues:
The text was updated successfully, but these errors were encountered: