Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latest release contains crates with 12 security vulnerabilities #200

Open
Mic92 opened this issue Jan 8, 2023 · 1 comment
Open

Latest release contains crates with 12 security vulnerabilities #200

Mic92 opened this issue Jan 8, 2023 · 1 comment

Comments

@Mic92
Copy link
Member

Mic92 commented Jan 8, 2023

cargo audit for v0.1.2 Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 477 security advisories (from /home/joerg/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (141 crate dependencies) Crate: brotli-sys Version: 0.3.2 Title: Integer overflow in the bundled Brotli C library Date: 2021-12-20 ID: RUSTSEC-2021-0131 URL: https://rustsec.org/advisories/RUSTSEC-2021-0131 Solution: No fixed upgrade is available! Dependency tree: brotli-sys 0.3.2 └── brotli2 0.3.2 └── nix-index 0.1.2

Crate: crossbeam-deque
Version: 0.6.1
Title: Data race in crossbeam-deque
Date: 2021-07-30
ID: RUSTSEC-2021-0093
URL: https://rustsec.org/advisories/RUSTSEC-2021-0093
Solution: Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1
Dependency tree:
crossbeam-deque 0.6.1
└── tokio-threadpool 0.1.6
├── tokio-fs 0.1.3
│ └── tokio 0.1.8
│ └── tokio-core 0.1.17
│ ├── tokio-retry 0.1.1
│ │ └── nix-index 0.1.2
│ ├── tokio-proto 0.1.1
│ │ └── hyper 0.11.27
│ │ └── nix-index 0.1.2
│ ├── nix-index 0.1.2
│ └── hyper 0.11.27
└── tokio 0.1.8

Crate: hyper
Version: 0.11.27
Title: Lenient hyper header parsing of Content-Length could allow request smuggling
Date: 2021-07-07
ID: RUSTSEC-2021-0078
URL: https://rustsec.org/advisories/RUSTSEC-2021-0078
Solution: Upgrade to >=0.14.10
Dependency tree:
hyper 0.11.27
└── nix-index 0.1.2

Crate: hyper
Version: 0.11.27
Title: Integer overflow in hyper's parsing of the Transfer-Encoding header leads to data loss
Date: 2021-07-07
ID: RUSTSEC-2021-0079
URL: https://rustsec.org/advisories/RUSTSEC-2021-0079
Solution: Upgrade to >=0.14.10

Crate: hyper
Version: 0.11.27
Title: Flaw in hyper allows request smuggling by sending a body in GET requests
Date: 2020-03-19
ID: RUSTSEC-2020-0008
URL: https://rustsec.org/advisories/RUSTSEC-2020-0008
Solution: Upgrade to >=0.12.34

Crate: owning_ref
Version: 0.3.3
Title: Multiple soundness issues in owning_ref
Date: 2022-01-26
ID: RUSTSEC-2022-0040
URL: https://rustsec.org/advisories/RUSTSEC-2022-0040
Solution: No fixed upgrade is available!
Dependency tree:
owning_ref 0.3.3
└── lock_api 0.1.3
└── parking_lot 0.6.4
└── tokio-reactor 0.1.5
├── tokio-uds 0.2.1
│ └── tokio 0.1.8
│ └── tokio-core 0.1.17
│ ├── tokio-retry 0.1.1
│ │ └── nix-index 0.1.2
│ ├── tokio-proto 0.1.1
│ │ └── hyper 0.11.27
│ │ └── nix-index 0.1.2
│ ├── nix-index 0.1.2
│ └── hyper 0.11.27
├── tokio-udp 0.1.2
│ └── tokio 0.1.8
├── tokio-tcp 0.1.1
│ └── tokio 0.1.8
├── tokio-core 0.1.17
└── tokio 0.1.8

Crate: regex
Version: 1.0.5
Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date: 2022-03-08
ID: RUSTSEC-2022-0013
URL: https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution: Upgrade to >=1.5.5
Dependency tree:
regex 1.0.5
├── nix-index 0.1.2
└── grep 0.1.9
└── nix-index 0.1.2

Crate: smallvec
Version: 0.6.5
Title: Double-free and use-after-free in SmallVec::grow()
Date: 2019-06-06
ID: RUSTSEC-2019-0009
URL: https://rustsec.org/advisories/RUSTSEC-2019-0009
Solution: Upgrade to >=0.6.10
Dependency tree:
smallvec 0.6.5
└── parking_lot_core 0.3.1
└── parking_lot 0.6.4
└── tokio-reactor 0.1.5
├── tokio-uds 0.2.1
│ └── tokio 0.1.8
│ └── tokio-core 0.1.17
│ ├── tokio-retry 0.1.1
│ │ └── nix-index 0.1.2
│ ├── tokio-proto 0.1.1
│ │ └── hyper 0.11.27
│ │ └── nix-index 0.1.2
│ ├── nix-index 0.1.2
│ └── hyper 0.11.27
├── tokio-udp 0.1.2
│ └── tokio 0.1.8
├── tokio-tcp 0.1.1
│ └── tokio 0.1.8
├── tokio-core 0.1.17
└── tokio 0.1.8

Crate: smallvec
Version: 0.6.5
Title: Buffer overflow in SmallVec::insert_many
Date: 2021-01-08
ID: RUSTSEC-2021-0003
URL: https://rustsec.org/advisories/RUSTSEC-2021-0003
Solution: Upgrade to >=0.6.14, <1.0.0 OR >=1.6.1

Crate: smallvec
Version: 0.6.5
Title: Memory corruption in SmallVec::grow()
Date: 2019-07-19
ID: RUSTSEC-2019-0012
URL: https://rustsec.org/advisories/RUSTSEC-2019-0012
Solution: Upgrade to >=0.6.10

Crate: thread_local
Version: 0.3.6
Title: Data race in Iter and IterMut
Date: 2022-01-23
ID: RUSTSEC-2022-0006
URL: https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution: Upgrade to >=1.1.4
Dependency tree:
thread_local 0.3.6
└── regex 1.0.5
├── nix-index 0.1.2
└── grep 0.1.9
└── nix-index 0.1.2

Crate: time
Version: 0.1.40
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.40
├── stderr 0.8.0
│ └── nix-index 0.1.2
└── hyper 0.11.27
└── nix-index 0.1.2

Crate: ansi_term
Version: 0.10.2
Warning: unmaintained
Title: ansi_term is Unmaintained
Date: 2021-08-18
ID: RUSTSEC-2021-0139
URL: https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.10.2
└── nix-index 0.1.2

Crate: ansi_term
Version: 0.11.0
Warning: unmaintained
Title: ansi_term is Unmaintained
Date: 2021-08-18
ID: RUSTSEC-2021-0139
URL: https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.11.0
└── clap 2.32.0
└── nix-index 0.1.2

Crate: net2
Version: 0.2.33
Warning: unmaintained
Title: net2 crate has been deprecated; use socket2 instead
Date: 2020-05-01
ID: RUSTSEC-2020-0016
URL: https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree:
net2 0.2.33
├── tokio-proto 0.1.1
│ └── hyper 0.11.27
│ └── nix-index 0.1.2
├── miow 0.2.1
│ └── mio 0.6.16
│ ├── tokio-uds 0.2.1
│ │ └── tokio 0.1.8
│ │ └── tokio-core 0.1.17
│ │ ├── tokio-retry 0.1.1
│ │ │ └── nix-index 0.1.2
│ │ ├── tokio-proto 0.1.1
│ │ ├── nix-index 0.1.2
│ │ └── hyper 0.11.27
│ ├── tokio-udp 0.1.2
│ │ └── tokio 0.1.8
│ ├── tokio-tcp 0.1.1
│ │ └── tokio 0.1.8
│ ├── tokio-reactor 0.1.5
│ │ ├── tokio-uds 0.2.1
│ │ ├── tokio-udp 0.1.2
│ │ ├── tokio-tcp 0.1.1
│ │ ├── tokio-core 0.1.17
│ │ └── tokio 0.1.8
│ ├── tokio-core 0.1.17
│ ├── tokio 0.1.8
│ └── mio-uds 0.6.7
│ └── tokio-uds 0.2.1
├── mio 0.6.16
└── hyper 0.11.27

Crate: stderr
Version: 0.8.0
Warning: unmaintained
Title: stderr is unmaintained; use eprintln instead
Date: 2020-12-22
ID: RUSTSEC-2020-0109
URL: https://rustsec.org/advisories/RUSTSEC-2020-0109
Dependency tree:
stderr 0.8.0
└── nix-index 0.1.2

Crate: tokio-proto
Version: 0.1.1
Warning: unmaintained
Title: tokio-proto is deprecated/unmaintained
Date: 2020-02-06
ID: RUSTSEC-2020-0162
URL: https://rustsec.org/advisories/RUSTSEC-2020-0162
Dependency tree:
tokio-proto 0.1.1
└── hyper 0.11.27
└── nix-index 0.1.2

Crate: xml-rs
Version: 0.8.0
Warning: unmaintained
Title: xml-rs is Unmaintained
Date: 2022-01-26
ID: RUSTSEC-2022-0048
URL: https://rustsec.org/advisories/RUSTSEC-2022-0048
Dependency tree:
xml-rs 0.8.0
└── nix-index 0.1.2

Crate: miow
Version: 0.2.1
Warning: yanked
Dependency tree:
miow 0.2.1
└── mio 0.6.16
├── tokio-uds 0.2.1
│ └── tokio 0.1.8
│ └── tokio-core 0.1.17
│ ├── tokio-retry 0.1.1
│ │ └── nix-index 0.1.2
│ ├── tokio-proto 0.1.1
│ │ └── hyper 0.11.27
│ │ └── nix-index 0.1.2
│ ├── nix-index 0.1.2
│ └── hyper 0.11.27
├── tokio-udp 0.1.2
│ └── tokio 0.1.8
├── tokio-tcp 0.1.1
│ └── tokio 0.1.8
├── tokio-reactor 0.1.5
│ ├── tokio-uds 0.2.1
│ ├── tokio-udp 0.1.2
│ ├── tokio-tcp 0.1.1
│ ├── tokio-core 0.1.17
│ └── tokio 0.1.8
├── tokio-core 0.1.17
├── tokio 0.1.8
└── mio-uds 0.6.7
└── tokio-uds 0.2.1

Crate: net2
Version: 0.2.33
Warning: yanked

Crate: smallvec
Version: 0.6.5
Warning: yanked

error: 12 vulnerabilities found!
warning: 9 allowed warnings found

The current master would bring this down to 4 security vulnerabilities

cargo audit for master Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 477 security advisories (from /home/joerg/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (178 crate dependencies) Crate: brotli-sys Version: 0.3.2 Title: Integer overflow in the bundled Brotli C library Date: 2021-12-20 ID: RUSTSEC-2021-0131 URL: https://rustsec.org/advisories/RUSTSEC-2021-0131 Solution: No fixed upgrade is available! Dependency tree: brotli-sys 0.3.2 └── brotli2 0.3.2 └── nix-index 0.1.3

Crate: regex
Version: 1.5.4
Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date: 2022-03-08
ID: RUSTSEC-2022-0013
URL: https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution: Upgrade to >=1.5.5
Dependency tree:
regex 1.5.4
├── nix-index 0.1.3
├── grep-regex 0.1.9
│ └── grep 0.2.8
│ └── nix-index 0.1.3
├── grep-cli 0.1.6
│ └── grep 0.2.8
└── globset 0.4.8
└── grep-cli 0.1.6

Crate: thread_local
Version: 1.1.3
Title: Data race in Iter and IterMut
Date: 2022-01-23
ID: RUSTSEC-2022-0006
URL: https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution: Upgrade to >=1.1.4
Dependency tree:
thread_local 1.1.3
└── grep-regex 0.1.9
└── grep 0.2.8
└── nix-index 0.1.3

Crate: time
Version: 0.1.43
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.43
└── stderr 0.8.0
└── nix-index 0.1.3

Crate: ansi_term
Version: 0.12.1
Warning: unmaintained
Title: ansi_term is Unmaintained
Date: 2021-08-18
ID: RUSTSEC-2021-0139
URL: https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── nix-index 0.1.3

Crate: stderr
Version: 0.8.0
Warning: unmaintained
Title: stderr is unmaintained; use eprintln instead
Date: 2020-12-22
ID: RUSTSEC-2020-0109
URL: https://rustsec.org/advisories/RUSTSEC-2020-0109
Dependency tree:
stderr 0.8.0
└── nix-index 0.1.3

Crate: xml-rs
Version: 0.8.4
Warning: unmaintained
Title: xml-rs is Unmaintained
Date: 2022-01-26
ID: RUSTSEC-2022-0048
URL: https://rustsec.org/advisories/RUSTSEC-2022-0048
Dependency tree:
xml-rs 0.8.4
└── nix-index 0.1.3

Crate: cpufeatures
Version: 0.2.1
Warning: yanked
Dependency tree:
cpufeatures 0.2.1
└── sha-1 0.9.8
└── headers 0.3.5
├── nix-index 0.1.3
└── hyper-proxy 0.9.1
└── nix-index 0.1.3

error: 4 vulnerabilities found!
warning: 4 allowed warnings found
@Mic92 Mic92 mentioned this issue Jan 8, 2023
Merged
@bennofs
Copy link
Collaborator

bennofs commented Jan 13, 2023

Fixed everything except unmaintained xml-rs and ansi_term. Ansi term is a really small library so moving away from it has low priority. xml-rs is a bit bigger, but it's also a bit more work to migrate to something else. Perhaps we should find a better way to get the package attributes instead, since using nix-env is not optimal anyway (no support for flakes).

@figsoda figsoda mentioned this issue Jun 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Mic92 @bennofs