search

jondot / xtaskops

Goodies for working with the xtask concept in Rust
Apache License 2.0
30 stars 9 forks source link

[Bug]: atty potential unaligned read #6

Open sebastienrousseau opened 1 year ago

sebastienrousseau commented 1 year ago

What happened?

Hi đź‘‹

xtaskops seems to have a dependency on using clap v3.2.25 which has triggered a dependabot alert https://github.com/sebastienrousseau/shokunin/security/dependabot/8

On windows, atty dereferences a potentially unaligned pointer.

In practice however, the pointer won't be unaligned unless a custom global allocator is used.

In particular, the System allocator on windows uses HeapAlloc, which guarantees a large enough alignment.

[[package]]
name = "clap"
version = "3.2.25"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4ea181bf566f71cb9a5d17a59e1871af638180a18fb0035c92ae62b705207123"
dependencies = [
 "atty",
 "bitflags 1.3.2",
 "clap_lex 0.2.4",
 "indexmap 1.9.3",
 "strsim",
 "termcolor",
 "textwrap",
]

I believe this has been solved by clap in subsequent versions:

https://github.com/clap-rs/clap/pull/5028

What type of Operating System?

Windows

Steps to produce this issue.

Please refer to my security alert:

https://github.com/sebastienrousseau/shokunin/security/dependabot/8

You can see the details in my [Cargo.lock](https://github.com/sebastienrousseau/shokunin/blob/main/Cargo.lock)
yonas commented 6 days ago

Checkout https://github.com/jondot/xtaskops/pull/9 for a fix.