Skip to content

Add advisory for unsound problems in workflow-core #2001

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
safe4u wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add advisory for unsound problems in workflow-core #2001

safe4u wants to merge 2 commits into from

Conversation

@safe4u
Copy link
Contributor

@safe4u safe4u commented Jul 7, 2024

The util functions buffer_as_slice and buffer_as_slice_mut in crate workflow-core could create illegal slice.
The details are described in workflow-rs/workflow-rs#11

@kornelski
Copy link
Contributor

kornelski commented Dec 4, 2024
edited
Loading

Still unsound in 0.18.0. Could you update the version in the advisory?

kornelski
kornelski suggested changes Dec 22, 2024
View reviewed changes
Copy link
Contributor

@kornelski kornelski left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The report is technically accurate.

Sadly, there's no fixed version, and it looks like development on the crate has ground to a halt.

@pduhandeh-collab
Copy link

pduhandeh-collab commented Nov 27, 2025

Thanks for all

@djc
Copy link
Contributor

djc commented Nov 28, 2025

@aspect @surinder83singh can you talk about the maintenance status of the workflow-core crate? If it's unmaintained, it would be good to communicate this.

@aspect
Copy link

aspect commented Dec 4, 2025

Thanks for tagging. This is great.

No, the crate is very much maintained and is critical to some well maintained mainstream applications.

This is my fault as I have basically disregarded this assuming that this is AI auto-detection and this crate contains general-purpose toolbox of different handy utils ... not really used by anyone (and apparently broken :)). They just sit in one of the submodules.

I am unfortunately swamped and can't look at this right now or in the coming days. There is a maintenance pass that is needed in related crates (it's a large framework). These functions should be just killed off.

I will add this to my general todo list and address this eventually.

@djc
Copy link
Contributor

djc commented Dec 4, 2025

@aspect okay, so is it okay if we just publish this advisory without fixed versions for now? We can always add those later as they become available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kornelski kornelski kornelski approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@safe4u @kornelski @pduhandeh-collab @djc @aspect