GHSA-x8jh-xj3x-gx3c

Опубликовано: 12 нояб. 2024

Источник: github

Github: Прошло ревью

CVSS4: 2.7

Описание

fast-float has multiple soundness issues

fast-float contains multiple soundness issues:

Undefined behavior when checking input length, which has been merged but no package pubished.
Many functions marked as safe with non-local safety guarantees

The library is also unmaintained.

Alternatives

For quickly parsing floating-point numbers third-party crates are generally no longer needed. A fast float parsing algorithm by the author of lexical has been merged into libcore. When requiring direct parsing from bytes and/or partial parsers, the fast-float2 fork of fast-float containing these security patches and reduces overall usage of unsafe.

Ссылки

https://github.com/aldanor/fast-float-rust/issues/28
https://github.com/aldanor/fast-float-rust/issues/35
https://github.com/aldanor/fast-float-rust/issues/37
https://rustsec.org/advisories/RUSTSEC-2024-0379.html

Пакеты

Наименование

fast-float

rust

Затронутые версииВерсия исправления

<= 0.2.0

Отсутствует

2.7 Low

CVSS4

2.7 Low

CVSS4