rmp-serde Unsound

[pinkforest]

3Hren/msgpack-rust#305
https://gist.github.com/Lucretiel/5deaf285f06a85056aa76276abf9bd77

@Lucretiel would you mind contributing a PR on informational = "unsound" advisory on this ?

Do we know what release these Raw deprecations ended up into ?

[Lucretiel]

They were deprecated (but not yet removed) in 1.1.0

[Lucretiel]

Sure, I can start a report; is there a guide for how to write them?

[pinkforest]

@kornelski just wondering re: release for rmp-serde w/ removed Raw ? We can also mention the deprecation. Thanks

[pinkforest]

@Lucretiel That would be lovely !

You can send a pull request, create crates/rmp-serde/RUSTSEC-0000-0000.md

For an example for unsound:
https://github.com/rustsec/advisory-db/pull/1389/files

For the date use when you reported the issue originally - it's backdated

Cheers

[Lucretiel]

It appears that Raw itself wasn't deprecated, but from_utf8 was. There's still potential unsoundness in the serialize -> deserialize path. I haven't seen any justification for why type exists in the first place so it remains my position that it should be deprecated and removed entirely.

[pinkforest]

Cool - yeah if we could please document all those different vectors despite them being deprecated so the user will have informed choice on which APIs to use. Cheers

[kornelski]

Fixed in rmp-serde 1.1.1