RUSTSEC-2020-0041: Multiple soundness issues in Chunk and InlineArray

[github-actions]

Multiple soundness issues in Chunk and InlineArray

Details
Package	sized-chunks
Version	0.6.2
URL	bodil/sized-chunks#11
Date	2020-09-06

Chunk:

• Array size is not checked when constructed with unit() and pair().
• Array size is not checked when constructed with From<InlineArray<A, T>>.
• Clone and insert_from are not panic-safe; A panicking iterator causes memory safety issues with them.

InlineArray:

• Generates unaligned references for types with a large alignment requirement.

See advisory page for additional details.

[qrilka]

im-rc needs sized-chunks version bumped - bodil/im-rs#179

[pinkforest]

According to https://rustsec.org/advisories/RUSTSEC-2020-0041.html

This has been fixed in >= 0.6.3 sized-chunks and deps.rs doesn't complain about it anymore either

Our current Cargo (0.52.0) bumped upstream im-rc which in turn had bumped to appropriate sizes-chunks fixing this for cargo-geiger.

4/4        341/347      0/0    0/0     3/3      !  ├── cargo 0.52.0
1/1        122/122      2/2    0/0     4/4      !  │   ├── im-rc 15.0.0
0/1        311/631      0/0    0/0     20/39    !  │   │   ├── sized-chunks 0.6.4

@tarcieri @anderejd can you please close this issue.

Looking at the release history

This was fixed in cargo-geiger 0.11.0 where cargo was bumped to 0.52.0 -

cargo-geiger <= 0.10.2 were influenced by this advisory

fyi I'm working on further cargo bump at #208