Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Cargo Audit Ignores #1247

Closed
2 tasks done
q9f opened this issue Oct 18, 2021 · 4 comments
Closed
2 tasks done

Remove Cargo Audit Ignores #1247

q9f opened this issue Oct 18, 2021 · 4 comments
Assignees
@q9f
Labels
Maintenance

Comments

@q9f
Copy link
Contributor

q9f commented Oct 18, 2021
edited by LesnyRumcajs
Loading

Task summary

TL;DR

Fix for RUSTSEC-2020-0071

  • Potential segfault in the time crate
  • Patched: time, >=0.2.23
  • To do: impossible to patch because chrono (see below) depends on time 0.1; replace chrono with time if possible

Fix for RUSTSEC-2020-0159

  • Potential segfault in chrono's localtime_r invocations
  • Patched: not available
  • To do: replace chrono with time if possible

Fix for RUSTSEC-2021-0130

  • Use after free in lru crate
  • Patched: lru, >=0.7.1
  • To do: nothing; we already upgraded lru everywhere, it still gets pulled in by old libp2p dependencies; upgrade libp2p to 0.42 everywhere

Fix for RUSTSEC-2022-0009

  • Failure to verify the public key of a SignedEnvelope against the PeerId in a PeerRecord
  • Patched: libp2p-core, >=0.31.1
  • To do: upgrade libp2p to 0.42 everywhere
@q9f q9f added the Status: Needs Triage Issue has unresolved discussions and/or needs to be assigned a priority and assignee label Oct 18, 2021
q9f added a commit that referenced this issue Jan 5, 2022
@q9f
ci: remove cargo audit ignores, #1247
1d87784
@q9f

This comment was marked as outdated.

Sign in to view
@q9f
Copy link
Contributor Author

q9f commented Feb 9, 2022

According to the core developer of chrono this is unfixable, see chronotope/chrono#499 (comment)

It took quite a bit to figure out what was going on, and if my understanding is correct this vulnerability is unfixable [...]

The most viable option on our end is to remove chrono entirely (replace it with time?) and try to upgrade all time dependencies to >= 0.2.23

@q9f q9f mentioned this issue Feb 10, 2022
Merged
@q9f q9f changed the title Remove Cargo Audit Ignores after Chrono Patch Release Remove Cargo Audit Ignores Feb 10, 2022
@LesnyRumcajs LesnyRumcajs mentioned this issue Feb 11, 2022
Merged
@q9f q9f self-assigned this Feb 14, 2022
@lerajk lerajk added Maintenance and removed Status: Needs Triage Issue has unresolved discussions and/or needs to be assigned a priority and assignee labels Feb 14, 2022
@LesnyRumcajs
Copy link
Member

After #1717 is merged, only RUSTSEC-2020-0071 will remain. We'll need to update jsonwebtoken crate (it will fix this dependency path) and either replace tide with something that doesn't use this chrono version or wait till it will fix itself eventually. This seems to be on the right path as unfixable chrono is getting fixed. https://github.com/chronotope/chrono/releases/tag/v0.4.20-rc.1 . That being said, we'll still need to ignore this audit error until it's updated to 0.5 (it's not even released yet) in tide.

@LesnyRumcajs LesnyRumcajs mentioned this issue Aug 2, 2022
Closed
1 task
@LesnyRumcajs
Copy link
Member

I'll close this issue in favour of #1761.

@q9f q9f mentioned this issue May 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@q9f q9f

Labels
Maintenance
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LesnyRumcajs @lerajk @q9f