Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple dependencies with known security vulnerabilities #140

Closed
Shnatsel opened this issue Dec 21, 2021 · 4 comments · Fixed by #160
Closed

Multiple dependencies with known security vulnerabilities #140

Shnatsel opened this issue Dec 21, 2021 · 4 comments · Fixed by #160
Labels
bug external

Comments

@Shnatsel
Copy link

Running cargo audit on the repository reports 4 known vulnerabilities in the dependency tree:

Crate:         brotli-sys
Version:       0.3.2
Title:         Integer overflow in the bundled Brotli C library
Date:          2021-12-20
ID:            RUSTSEC-2021-0131
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0131
Solution:      No safe upgrade is available!
Dependency tree: 
brotli-sys 0.3.2
└── brotli2 0.3.2
    └── https 1.12.2

Crate:         hyper
Version:       0.10.16
Title:         Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date:          2021-07-07
ID:            RUSTSEC-2021-0079
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0079
Solution:      Upgrade to >=0.14.10
Dependency tree: 
hyper 0.10.16
├── rfsapi 0.1.0
│   └── https 1.12.2
├── iron 0.6.1
│   └── https 1.12.2
└── hyper-native-tls 0.3.0
    ├── iron 0.6.1
    └── https 1.12.2

Crate:         hyper
Version:       0.10.16
Title:         Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date:          2021-07-07
ID:            RUSTSEC-2021-0078
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0078
Solution:      Upgrade to >=0.14.10

Crate:         time
Version:       0.1.43
Title:         Potential segfault in the time crate
Date:          2020-11-18
ID:            RUSTSEC-2020-0071
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:      Upgrade to >=0.2.23
Dependency tree: 
time 0.1.43
├── rfsapi 0.1.0
│   └── https 1.12.2
├── hyper 0.10.16
│   ├── rfsapi 0.1.0
│   ├── iron 0.6.1
│   │   └── https 1.12.2
│   └── hyper-native-tls 0.3.0
│       ├── iron 0.6.1
│       └── https 1.12.2
└── https 1.12.2

error: 4 vulnerabilities found!
nabijaczleweli added a commit that referenced this issue Dec 31, 2021
@nabijaczleweli
Replace brotli2 with brotli
b6173f5 
Ref: #140
@nabijaczleweli
Copy link
Collaborator

nabijaczleweli commented Dec 31, 2021
edited
Loading

Hm. The hyper and iron bits are unfixable, I think, without re-writing this in its entirety (iron is dead (the last commit is me updating to hyper-native-tls 0.3), hyper is infinitely different). Pushed the blake thing though, despite it not being triggerable here (we don't encode files bigger than 100MB).

@nabijaczleweli nabijaczleweli mentioned this issue Dec 31, 2021
Merged
@nabijaczleweli
Copy link
Collaborator

brotli2 replaced with brotli in v1.12.3.

@nabijaczleweli
Copy link
Collaborator

0f7301e:

warning: `D:\Users\nabijaczleweli\.cargo\config` is deprecated in favor of `config.toml`
note: if you need to support cargo 1.38 or earlier, you can symlink `config` to `config.toml`
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 627 security advisories (from D:\Users\nabijaczleweli\.cargo\advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (152 crate dependencies)
Crate:     hyper
Version:   0.10.16
Title:     Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date:      2021-07-07
ID:        RUSTSEC-2021-0078
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0078
Severity:  5.3 (medium)
Solution:  Upgrade to >=0.14.10
Dependency tree:
hyper 0.10.16
|-- rfsapi 0.2.0
    \-- https 1.13.2

Crate:     hyper
Version:   0.10.16
Title:     Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date:      2021-07-07
ID:        RUSTSEC-2021-0079
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0079
Severity:  9.1 (critical)
Solution:  Upgrade to >=0.14.10

Crate:     hyper
Version:   0.10.16
Title:     Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date:      2021-07-07
ID:        RUSTSEC-2021-0078
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0078
Severity:  5.3 (medium)
Solution:  Upgrade to >=0.14.10
Dependency tree:
hyper 0.10.16
|-- iron 0.6.1
|   \-- https 1.13.2
|-- hyper-native-tls 0.3.0
    \-- iron 0.6.1
    \-- https 1.13.2

Crate:     hyper
Version:   0.10.16
Title:     Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date:      2021-07-07
ID:        RUSTSEC-2021-0079
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0079
Severity:  9.1 (critical)
Solution:  Upgrade to >=0.14.10

Crate:     time
Version:   0.1.45
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Severity:  6.2 (medium)
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.45
|-- rfsapi 0.2.0
|   \-- https 1.13.2
|-- hyper 0.10.16
|   \-- rfsapi 0.2.0
|-- https 1.13.2

Crate:     ansi_term
Version:   0.12.1
Warning:   unmaintained
Title:     ansi_term is Unmaintained
Date:      2021-08-18
ID:        RUSTSEC-2021-0139
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
|-- clap 2.34.0
    \-- https 1.13.2

Crate:     safemem
Version:   0.3.3
Warning:   unmaintained
Title:     safemem is unmaintained
Date:      2023-02-14
ID:        RUSTSEC-2023-0081
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0081
Dependency tree:
safemem 0.3.3
|-- base64 0.9.3
    \-- hyper 0.10.16
        \-- rfsapi 0.2.0
            \-- https 1.13.2

Crate:     traitobject
Version:   0.1.0
Warning:   unmaintained
Title:     traitobject is Unmaintained
Date:      2021-10-04
ID:        RUSTSEC-2021-0144
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0144
Dependency tree:
traitobject 0.1.0
|-- hyper 0.10.16
    \-- rfsapi 0.2.0
        \-- https 1.13.2

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
|-- clap 2.34.0
    \-- https 1.13.2

Crate:     hyper
Version:   0.10.16
Warning:   unsound
Title:     Parser creates invalid uninitialized value
Date:      2022-05-10
ID:        RUSTSEC-2022-0022
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0022

Crate:     hyper
Version:   0.10.16
Warning:   unsound
Title:     Parser creates invalid uninitialized value
Date:      2022-05-10
ID:        RUSTSEC-2022-0022
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0022

Crate:     traitobject
Version:   0.1.0
Warning:   unsound
Title:     traitobject assumes the layout of fat pointers
Date:      2020-06-01
ID:        RUSTSEC-2020-0027
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0027
Severity:  9.8 (critical)

error: 5 vulnerabilities found!
warning: 7 allowed warnings found

💀

nabijaczleweli added a commit that referenced this issue May 30, 2024
@nabijaczleweli
Patch RUSTSEC-2021-0078 in vendored hyper
d9fc08a 
Before:
$ telnet nabijaczleweli 8002
Trying 192.168.1.109...
Connected to nabijaczleweli.nabijaczleweli.xyz.
Escape character is '^]'.
GET / HTTP/1.1
Content-Length: +3

HTTP/1.1 400 Bad Request
Date: Thu, 30 May 2024 19:31:35 GMT
Transfer-Encoding: chunked

0

Connection closed by foreign host.

After:
$ telnet nabijaczleweli 8002
Trying 192.168.1.109...
Connected to nabijaczleweli.nabijaczleweli.xyz.
Escape character is '^]'.
GET / HTTP/1.1
Content-Length: +3

Connection closed by foreign host.

Ref: #140
nabijaczleweli added a commit that referenced this issue May 30, 2024
@nabijaczleweli
Patch RUSTSEC-2021-0079
a3ae6fc 
Ref: #140
nabijaczleweli added a commit that referenced this issue May 30, 2024
@nabijaczleweli
Ignore RUSTSEC-2020-0071: we do not setenv ever
60f0726 
Ref: #140
nabijaczleweli added a commit that referenced this issue May 30, 2024
@nabijaczleweli
Ignore RUSTSEC-2021-0145: we don't use a custom allocator
25d01fd 
Ref: #140
nabijaczleweli added a commit that referenced this issue May 30, 2024
@nabijaczleweli
Use git traitobject, which has RUSTSEC-2020-0027 fixed
4b22b6a 
Ref: #140
nabijaczleweli added a commit that referenced this issue May 30, 2024
@nabijaczleweli
Ignore RUSTSEC-2022-0022: our version of hyper simply never uses mem:…
c5b4966 
…:uninitialized()

Ref: #140
@nabijaczleweli nabijaczleweli mentioned this issue Jun 2, 2024
Merged
@nabijaczleweli
Copy link
Collaborator

All fixed by in v2.0.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug external
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

http 2.0.0 thecoshman/http
2 participants
@Shnatsel @nabijaczleweli