matrix-rust-sdk icon indicating copy to clipboard operation
matrix-rust-sdk copied to clipboard

Published 20 hours ago verified publisher icon matrix-org

rqrr 0.4 pulls in lru with security advisory

Open gnunicorn opened this issue 2 years ago • 5 comments

cargo audit says:

    Scanning Cargo.lock for vulnerabilities (479 crate dependencies)
Crate:         lru
Version:       0.6.6
Title:         Use after free in lru crate
Date:          2021-12-21
ID:            RUSTSEC-2021-0130
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0130
Solution:      Upgrade to >=0.7.1
Dependency tree: 
lru 0.6.6

Which comes in from rqrr 0.4.0 - which has a newer version (0.5.0) which we can't upgrade to because that is not compatible with qrcode .

From looking at the advisory, rqrr is using the effected methods and as such must be considered vulnerable.

gnunicorn avatar May 18 '22 19:05 gnunicorn

So there are a couple options here.

  1. rqrr is optional, it adds QR code decoding support. We could just remove the optional feature and be done with it.
  2. Fork qrcode and update it.
  3. Use another library to generate QR codes so we can bump rqrr. The best candidate seems to be qrcode_generator.

Option 1. still leaves us with a questionable dependency, that continues to use image 0.23.

Option 2. means more code to maintain.

Option 3. means we're going to lose at least some features, i.e. qrcode has a neat unicode based renderer which might be nice to have for weird projects. It also means that the encoder settings twiddling dance needs to be repeated, for reference see commit 63dc939081c3a892bda0be905c7c954324c63c3e.

I wonder if Fractal is using the QR code decoding support, AFAIR they are not using the QR code encoding support. The Element mobile clients will not use either of these.

@jsparber any info on this, how is Fractal using the QR code features?

poljar avatar May 20 '22 07:05 poljar

We use QrVerification::to_qr_code() to generate a QrCode and QrVerificationData::from_luma() to detect qr-codes in images

jsparber avatar May 20 '22 10:05 jsparber

  1. Fork qrcode and update it.

Can't we update the upstream qrcode crate?

jsparber avatar May 20 '22 11:05 jsparber

There's a PR from somebody else already, but it seems like it's not maintained anymore. I've tried to get in touch with the author earlier today.

jplatte avatar May 20 '22 11:05 jplatte

  1. Use another library to generate QR codes so we can bump rqrr. The best candidate seems to be qrcode_generator.

Sounds like a viable option, especially since qrcode isn't updated already in years.

jsparber avatar May 20 '22 11:05 jsparber