Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

minimp3 uses an unsafe dependency #456

Closed
ImUrX opened this issue Nov 25, 2022 · 1 comment
Closed

minimp3 uses an unsafe dependency #456

ImUrX opened this issue Nov 25, 2022 · 1 comment

Comments

@ImUrX
Copy link

ImUrX commented Nov 25, 2022

It uses slice-deque which has RUSTSEC-2021-0047
I saw that germangb/minimp3-rs#38 exists, it could be used instead of the current minimp3-rs.
@est31
Copy link
Member

est31 commented Nov 26, 2022

after #453 we now default to symphonia. I don't want to remove minimp3 completely as it still has its use cases, and I don't see alternatives that fulfill those use cases. Furthermore, it seems to me that the CVE is a hypothetical, that is, it requires a function to panic that is supplied by users. In fact, it seems that the drain_filter function isn't even used by minimp3 at all, so this is a false positive by tooling. Last, this is not a rodio issue. I'm closing in favour of germangb/minimp3-rs#29 and most importantly gnzlbg/slice_deque#90 .

@est31 est31 closed this as completed Nov 26, 2022
@Davidster Davidster mentioned this issue Mar 31, 2023
Closed
@est31 est31 mentioned this issue Jul 25, 2023
Merged
est31 pushed a commit that referenced this issue Jul 25, 2023
@BOB450
Replace minimp3 with minimp3_fixed witch fixes a vital security flaw (#…
eda5934 
…504)

See https://rustsec.org/packages/slice-deque.html and #456
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ImUrX @est31