Add secruity advisory for fast-float.

rustsec · Oct 31, 2024 · 162cc64 · 162cc64
1 parent 6b8c8dd
commit 162cc64
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/crates/fast-float/RUSTSEC-0000-0000.md b/crates/fast-float/RUSTSEC-0000-0000.md
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "fast-float"
+date = "2024-10-31"
+informational = "unsound"
+categories = ["memory-corruption"]
+url = "<https://github.com/aldanor/fast-float-rust/issues/28>"
+references = ["https://github.com/aldanor/fast-float-rust/issues/35", "https://github.com/aldanor/fast-float-rust/issues/37"]
+aliases = []
+
+[versions]
+patched = []
+```
+
+# Multiple soundness issues
+
+`fast-float` contains multiple soundness issues:
+
+ 1. [Undefined behavior when checking input length](https://github.com/aldanor/fast-float-rust/issues/28), which has been merged but no package [pubished](https://github.com/aldanor/fast-float-rust/issues/35).
+ 1. [Many functions marked as safe with non-local safety guarantees](https://github.com/aldanor/fast-float-rust/issues/37)
+
+The library is also unmaintained.
+
+## Alternatives
+
+For quickly parsing floating-point numbers third-party crates are generally no longer needed. A fast float parsing algorithm by the author of `lexical` has been [merged](https://github.com/rust-lang/rust/pull/86761) into libcore. When requiring direct parsing from bytes and/or partial parsers, the [`fast-float2`](https://crates.io/crates/fast-float2) fork of `fast-float` containing these security patches and reduces overall usage of unsafe.