Reported

November 14, 2023

Issued

December 20, 2023

Package

cpython (crates.io)

Type

INFO Unmaintained

References

• https://github.com/dgrunwald/rust-cpython/commit/e815555
• https://github.com/dgrunwald/rust-cpython/issues/265
• https://github.com/dgrunwald/rust-cpython/issues/294

Patched

no patched versions

Description

The cpython crate and the underlying python3-sys and python27-sys crates have been marked as no longer actively maintained by the developer.

There are also open issues for unsound code that is currently in these crates:

• cpython#265: Using some string functions causes segmentation faults on big-endian architectures. Due to incorrect bitfield manipulations, it is possible to create invalid Python objects that crash the Python interpreter.
• cpython#294: Python 3.12 is not supported. Due to ABI changes in Python 3.12, calling some string functions will result in invalid Python objects and / or cause out-of-bounds memory accesses.

Recommended alternatives

• pyo3 (version 0.19.2 and newer)

The pyo3 crate is actively maintained. Preliminary support for Python 3.12 was added in version 0.19.2, and version 0.20.0 was released with full support for Python 3.12.

Both versions implement string functions correctly on big-endian architectures. The endianness issue affecting the cpython crate was fixed in recent versions of pyo3.

Advisory available under CC0-1.0 license.