`mbox` is unmaintained and unsound

[Nugine]

https://github.com/kennytm/mbox https://crates.io/crates/mbox

Last commit on 2021-04-01 Last release on 2021-04-01 The author is not responding.

Unsoundness: https://github.com/kennytm/mbox/issues/23

2 reverse dependencies on crates.io 140 (transitive) dependents on github

[pinkforest]

Re: Unsound

The fn is marked as unsafe - on which the issue was opened only yesterday.

To have the fn flagged as "unsound" the fn should be safe and where there may be a vector to exploit the unsafe behind it.

Re: Unmaintained

On which issue the author is not responding that would indicate that potential security fixes would not potentially be merged ?

Please note that our unmaintained advisories are reserved for:

A) Completely unreachable maintainers to the point it is reasonably clear that security issues would not be addressed or

B) Where the maintainer has explicitly advised that no maintenance is done at all - including potential security issues

[Nugine]

The fn is marked as unsafe - on which the issue was opened only yesterday.

mbox::MBox::new is marked as safe.

Call stack:

mbox::MBox::new (safe)
    mbox::internal::gen_malloc (safe)
        mbox::internal::malloc_aligned (unsafe, incorrect)

On which issue the author is not responding that would indicate that potential security fixes would not potentially be merged ?

• https://github.com/kennytm/mbox/pull/18
• https://github.com/kennytm/mbox/issues/20
• https://github.com/kennytm/mbox/issues/21

The issues and PRs are hanging for over 15 months.