Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolve 2 security issues #1223

Closed
martinfrances107 opened this issue Aug 22, 2023 · 5 comments
Closed

Resolve 2 security issues #1223

martinfrances107 opened this issue Aug 22, 2023 · 5 comments

Comments

@martinfrances107
Copy link

There are 2 problems that I see .. I just want to report them

There is a difference between the latest version published on crates.io ( 0.4.26 )
and the main branch here..

For example when I run cargo audit on a upstream package ( theta-chart )

I get the first warning

Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (64 crate dependencies)

Crate:     time
Version:   0.1.45
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Severity:  6.2 (medium)
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.45
└── chrono 0.4.26
    └── theta-chart 0.0.5

This problem is known .... when I run cargo audit on the "main" branch
I see that it has fixed but that is I see a different security advisory

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── criterion 0.4.0
    └── chrono 0.5.0-alpha.1

@djc
Copy link
Member

djc commented Aug 22, 2023

For RUSTSEC-2020-0071, see #602. For RUSTSEC-2021-0145, note that the dependency is guarded by an __internal-bench Cargo feature, so this should not have any effect on your code.

(We should definitely get rid of __internal-bench in favor of a normal benchmark that only consumes a dev-dependency though.)

@martinfrances107
Copy link
Author

Can I ask a Question, I can't find the answer after looking

What does the release cycle look like -- when will the already commit patch, that fixes the first advisory, be published on crates.io?

If there is any manual testing to be done please nudge me and I will jump on it.

Secondly, this PR #1224 fixes the second advisory

@pitdicker
Copy link
Collaborator

Thank you for looking into this. Unfortunately both are not just simple fixes.

The time 0.1 dependency is only there because one of its types is part of our public API. We don't use the functionality that is related to the security advisory.
Issues related to this advisory are opened somewhat frequently... This is the latest with a workaround: #1189.

We hope to fix it with #1095.

@pitdicker
Copy link
Collaborator

We mostly work on the 0.4.x branch, main should eventually become a 0.5 release but has quite some work left to do.

@pitdicker
Copy link
Collaborator

Criterion is dropped as a dependency in #1243 (moved to a sub-crate and updated to 5.1).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants