ibc-solo-machine icon indicating copy to clipboard operation
ibc-solo-machine copied to clipboard

Published 20 hours ago verified publisher icon crypto-com

Problem: `cargo audit` fails

Open devashishdxt opened this issue 3 years ago • 5 comments

Vulnerabilities

~~RUSTSEC-2021-0076~~

~~libsecp256k1 allows overflowing signatures~~

Details
Package ~~libsecp256k1~~
Version ~~0.3.5~~
URL ~~paritytech/libsecp256k1#67~~
Date ~~2021-07-13~~
Patched versions ~~>=0.5.0~~

~~libsecp256k1 accepts signatures whose R or S parameter is larger than the secp256k1 curve order, which differs from other implementations. This could lead to invalid signatures being verified.~~

~~The error is resolved in 0.5.0 by adding a check_overflow flag.~~

~~RUSTSEC-2021-0073~~

~~Conversion from prost_types::Timestamp to SystemTime can cause an overflow and panic~~

Details
Package ~~prost-types~~
Version ~~0.7.0~~~
URL ~~tokio-rs/prost#438~~
Date ~~2021-07-08~~
Patched versions ~~>=0.8.0~~

~~Affected versions of this crate contained a bug in which untrusted input could cause an overflow and panic when converting a Timestamp to SystemTime.~~

~~It is recommended to upgrade to prost-types v0.8 and switch the usage of From<Timestamp> for SystemTime to TryFrom<Timestamp> for SystemTime.~~

~~See #438 for more information.~~

RUSTSEC-2020-0159

Potential segfault in localtime_r invocations

Details
Package chrono
Version 0.4.19
URL chronotope/chrono#499
Date 2020-11-10

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

No workarounds are known.

devashishdxt avatar Jul 29 '21 03:07 devashishdxt

Created a PR to upgrade dependencies of tiny-hderive: https://github.com/maciejhirsz/tiny-hderive/pull/7

devashishdxt avatar Jul 29 '21 03:07 devashishdxt

what about using https://crates.io/crates/bip32 instead of tiny-hderive?

tomtau avatar Jul 29 '21 03:07 tomtau

what about using https://crates.io/crates/bip32 instead of tiny-hderive?

Created a PR for this: #22.

devashishdxt avatar Jul 29 '21 06:07 devashishdxt

Regression in v0.8.0 of prost: https://github.com/tokio-rs/prost/issues/502 and https://github.com/tokio-rs/prost/issues/507

devashishdxt avatar Aug 03 '21 04:08 devashishdxt

Potential segfault in chrono crate: https://github.com/chronotope/chrono/issues/499

devashishdxt avatar Oct 29 '21 01:10 devashishdxt