Crates.io | ncurses-lite |
lib.rs | ncurses-lite |
version | 0.1.1 |
source | src |
created_at | 2022-07-23 23:16:45.132159 |
updated_at | 2022-07-24 00:21:39.232127 |
description | tiny reimagining of ncurses-rs |
homepage | |
repository | |
max_upload_size | |
id | 631751 |
size | 7,333 |
This is a light (microscopic) reimagining of ncurses-rs
.
After trying to use ncurses-rs
in rust-warrior
, and
getting alerted by the Github dependabot, the idea for this
new library was born.
An issue was discovered in the ncurses crate for Rust. There are format string issues in
printw
functions because C format arguments are mishandled.
An issue was discovered in the ncurses crate for Rust. There are
instr
andmvwinstr
buffer overflows because interaction with C functions is mishandled.
The instr
function has this comment:
pub fn instr(s: &mut String) -> i32
{
/* XXX: This is probably broken. */
unsafe
{
Reassuring, right?
The mvwinstr
function has the same comment:
pub fn mvwinstr(w: WINDOW, y: i32, x: i32, s: &mut String) -> i32
{
/* XXX: This is probably broken. */
unsafe
{
These vulnerabilities have been reported in this issue, which links to:
There are some curses docs online, such as this page that documents the
innstr
family of functions.
Given the complex nature of the vulnerable functions, and the difficulty in verifying whether they are currently "broken" or whether a change would be "broken" as well...
AND given that none of these functions are used in rust-warrior
...
Another option is to create a library that exposes the necessary parts of ncurses to Rust without including these vulnerabilities -- by simply leaving those functions out.
The following functions are implemented:
initscr
endwin
curs_set
newwin
waddch
waddstr
wclear
wrefresh