bdk-cli icon indicating copy to clipboard operation
bdk-cli copied to clipboard
verified publisher icon bitcoindevkit

Fix stdweb audit advisotry RUSTSEC-2020-0056

Open notmandatory opened this issue 3 years ago • 6 comments 

% cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 405 security advisories (from /home/steve/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (238 crate dependencies)
Crate:         stdweb
Version:       0.4.20
Warning:       unmaintained
Title:         stdweb is unmaintained
Date:          2020-05-04
ID:            RUSTSEC-2020-0056
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree: 
stdweb 0.4.20
└── time 0.2.27
    ├── cookie_store 0.12.0
    │   └── ureq 1.5.5
    └── cookie 0.14.4
        ├── ureq 1.5.5
        └── cookie_store 0.12.0

warning: 1 allowed warning found

notmandatory avatar Apr 28 '22 02:04 notmandatory

I think I found the bottom of this hole.. The stdweb lib was a complex JS to Rust link library and I have no clue why they needed it in time. And now its saying unmaintained so even a more higher vulnerability.

Recent version of time removes stdweb from its dep. And recent ureq ~2.2.0 updates the change.

The problem is occurring from ureq 1.5.5 which uses a lower version of time which still has stdweb , and it's only requirement of bitcoind.

https://github.com/bitcoindevkit/bdk-cli/blob/8d14cf5549805b685d95c72247b358e67b6a330f/Cargo.lock#L266-L280

And Ricardo pinned this version for the MSRV constraint.

https://github.com/RCasatta/bitcoind/blob/31e88fdb011e37ebec08c710ad994d62d46b42b7/Cargo.toml#L22

So the easiest way to fix is remove the pin in bitcoind and let it use the latest ureq.

cc @RCasatta

UPDATE: The same situation is there for BDK too..

rajarshimaitra avatar Apr 29 '22 07:04 rajarshimaitra

The plan I have in mind is:

  • rust-bitcoincore-rpc 0.15 with bitcoin 0.28 is released https://github.com/rust-bitcoin/rust-bitcoincore-rpc/pull/221
  • merge https://github.com/RCasatta/bitcoind/pull/62 and https://github.com/RCasatta/bitcoind/pull/60, release bitcoind 0.26.0
  • remove pinning and increase MSRV to x.x.x (TBD) release bitcoind 0.27.0

RCasatta avatar May 03 '22 08:05 RCasatta

On the MSRV question BDK is bumping up to 1.56.0.

  • https://github.com/bitcoindevkit/bdk/pull/596.

Also the focus for the next bdk release 0.19.0 is TP support so also updating bitcoin to 0.28 along with other dependencies doing the same like rust-bitcoincore-rpc. Once BDK 0.19.0 is released the high priority for bdk-cli should be to do the corresponding updates.

notmandatory avatar May 03 '22 18:05 notmandatory

I think this will be fixed by #99 so I assigned it to you @rajarshimaitra to confirm. Thanks!

notmandatory avatar Jun 21 '22 14:06 notmandatory

It seems its still there with #99

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 417 security advisories (from /home/raj/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (268 crate dependencies)
Crate:         stdweb
Version:       0.4.20
Warning:       unmaintained
Title:         stdweb is unmaintained
Date:          2020-05-04
ID:            RUSTSEC-2020-0056
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree: 
stdweb 0.4.20
└── time 0.2.27
    ├── cookie_store 0.12.0
    │   └── ureq 1.5.5
    └── cookie 0.14.4
        ├── ureq 1.5.5
        └── cookie_store 0.12.0

warning: 1 allowed warning found

rajarshimaitra avatar Jun 23 '22 12:06 rajarshimaitra

Moved this one to bdk-cli 0.7.0 since the updated version of bitcoind 0.27.0 isn't released yet.

notmandatory avatar Jul 06 '22 05:07 notmandatory