While doing my first crev reviews, I stumbled upon hostname and actually found a potential safety issue (details). However, the author has both abandoned the crate and is inactive while the crate has a staggering amount of reverse dependencies. Can someone review my analysis and maybe give some guidance on adding an advisory for the situation or how to fix it in the ecosystem?
I responded in a comment, it's not clear that it actually is a safety issue in practice. It would be better for the code to fix though, it being unmaintained is unfortunate
Would someone have an OS X machine to test this? Specifically, what is the behaviour of
gethostname for a 255 byte hostname and
namelen = 255.
Does it return success? Does it truncate to add the null terminator (not per documentation)?
@Andreas Molzer this might interest you https://github.com/RustSec/advisory-db/issues/134
I'm working on a PR for informational advisories that can at least warn for unmaintained crates
Thanks, should I comment on the crate in that issue list? Or is it already ready to accept a PR for it?
@Andreas Molzer Tried, can't seem to make my hostname be 255 bytes long. It seems impossible, but maybe there's some way?
@Andreas Molzer still working out a policy for that sort of thing, but I think it will ultimately be an informational advisory
@Thom Chiovoloni The documentation certainly makes it sound that way, but it's also dated 2003? It would be nice if it were not an issue in practice but still better to be compliant just in case.
I agree, but I also don't think a security advisory should be issued unless it's actually a vulnerability.
What about Redox?
It seems to null-terminate it initially in
But doesn't always null-terminate
Just had a glimpse at the code though, could be wrong.
I'm going to test it in a VM, that's going to take a while
Turns out Redox is fine, as stated in the issue.
It seems like we should try to get a fix in, but that it probably doesn't need a security advisory then.