rustsec-2023-0076
Vulnerability from osv_rustsec
Published
2023-11-14 12:00
Modified
2023-12-20 22:34
Summary
`cpython` is unmaintained
Details

The cpython crate and the underlying python3-sys and python27-sys crates have been marked as no longer actively maintained by the developer.

There are also open issues for unsound code that is currently in these crates:

  • cpython#265: Using some string functions causes segmentation faults on big-endian architectures. Due to incorrect bitfield manipulations, it is possible to create invalid Python objects that crash the Python interpreter.
  • cpython#294: Python 3.12 is not supported. Due to ABI changes in Python 3.12, calling some string functions will result in invalid Python objects and / or cause out-of-bounds memory accesses.

Recommended alternatives

  • [pyo3] (version 0.19.2 and newer)

The pyo3 crate is actively maintained. Preliminary support for Python 3.12 was added in version 0.19.2, and version 0.20.0 was released with full support for Python 3.12.

Both versions implement string functions correctly on big-endian architectures. The endianness issue affecting the cpython crate was fixed in recent versions of pyo3.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": null,
        "informational": "unmaintained"
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "cpython",
        "purl": "pkg:cargo/cpython"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "The `cpython` crate and the underlying `python3-sys` and `python27-sys` crates have been marked as [no longer actively maintained] by the developer.\n\nThere are also open issues for unsound code that is currently in these crates:\n\n- [cpython#265]: Using some string functions causes segmentation faults on big-endian architectures. Due to incorrect bitfield manipulations, it is possible to create invalid Python objects that crash the Python interpreter.\n- [cpython#294]: Python 3.12 is not supported. Due to ABI changes in Python 3.12, calling some string functions will result in invalid Python objects and / or cause out-of-bounds memory accesses.\n\n## Recommended alternatives\n\n- [`pyo3`] (version 0.19.2 and newer)\n\nThe `pyo3` crate is actively maintained. Preliminary support for Python 3.12 was added in version 0.19.2, and version 0.20.0 was released with full support for Python 3.12.\n\nBoth versions implement string functions correctly on big-endian architectures. The endianness issue affecting the `cpython` crate was fixed in recent versions of `pyo3`.\n\n[no longer actively maintained]: https://github.com/dgrunwald/rust-cpython/commit/e815555\n[cpython#265]: https://github.com/dgrunwald/rust-cpython/issues/265\n[cpython#294]: https://github.com/dgrunwald/rust-cpython/issues/294\n[`pyo3`]: https://crates.io/crates/pyo3",
  "id": "RUSTSEC-2023-0076",
  "modified": "2023-12-20T22:34:55Z",
  "published": "2023-11-14T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/cpython"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2023-0076.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dgrunwald/rust-cpython/commit/e815555"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/dgrunwald/rust-cpython/issues/265"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/dgrunwald/rust-cpython/issues/294"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "`cpython` is unmaintained"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.