matrix-rust-sdk
matrix-rust-sdk copied to clipboard
rqrr 0.4 pulls in lru with security advisory
cargo audit
says:
Scanning Cargo.lock for vulnerabilities (479 crate dependencies)
Crate: lru
Version: 0.6.6
Title: Use after free in lru crate
Date: 2021-12-21
ID: RUSTSEC-2021-0130
URL: https://rustsec.org/advisories/RUSTSEC-2021-0130
Solution: Upgrade to >=0.7.1
Dependency tree:
lru 0.6.6
Which comes in from rqrr 0.4.0
- which has a newer version (0.5.0) which we can't upgrade to because that is not compatible with qrcode
.
From looking at the advisory, rqrr is using the effected methods and as such must be considered vulnerable.
So there are a couple options here.
-
rqrr
is optional, it adds QR code decoding support. We could just remove the optional feature and be done with it. - Fork
qrcode
and update it. - Use another library to generate QR codes so we can bump
rqrr
. The best candidate seems to beqrcode_generator
.
Option 1. still leaves us with a questionable dependency, that continues to use image
0.23.
Option 2. means more code to maintain.
Option 3. means we're going to lose at least some features, i.e. qrcode
has a neat unicode
based renderer which might be nice to have for weird projects. It also means that the encoder settings twiddling dance needs to be repeated, for reference see commit 63dc939081c3a892bda0be905c7c954324c63c3e.
I wonder if Fractal is using the QR code decoding support, AFAIR they are not using the QR code encoding support. The Element mobile clients will not use either of these.
@jsparber any info on this, how is Fractal using the QR code features?
We use QrVerification::to_qr_code() to generate a QrCode
and QrVerificationData::from_luma() to detect qr-codes in images
- Fork qrcode and update it.
Can't we update the upstream qrcode
crate?
There's a PR from somebody else already, but it seems like it's not maintained anymore. I've tried to get in touch with the author earlier today.
- Use another library to generate QR codes so we can bump rqrr. The best candidate seems to be qrcode_generator.
Sounds like a viable option, especially since qrcode
isn't updated already in years.