https://discourse.ubuntu.com/t/an-update-on-rust-coreutils/80773 announces the results of a security audit of the rust-coreutils package by Zellic. The Audit Report is published at: https://github.com/Zellic/publications/blob/master/uutils%20coreutils%20-%20Zellic%20Audit%20Report.pdf
The summary of the Audit Report states: > During our assessment on the scoped uutils coreutils targets, we discovered > 73 findings. Seven critical issues were found. Eleven were of high impact, > 29 were of medium impact, and 26 were of low impact. The Ubuntu summary notes that the above report covered the first round, "the most security-sensitive tools in the coreutils suite", and that a second round on the remaining utilities turned up 40 more issues, reported in the form of pull requests to the upstream repo, listed on: https://github.com/uutils/coreutils/pulls?q=is%3Apr+label%3Areported-canonical-2 It also says the bulk of the issues are fixed in the upstream 0.8.0 release, and links to the many CVE ids issued for this work. https://corrode.dev/blog/bugs-rust-wont-catch/ adds some further analysis of the issues and suggestions for other rust projects to follow. -- -Alan Coopersmith- [email protected] Oracle Solaris Engineering - https://blogs.oracle.com/solaris
