Latest release contains crates with 12 security vulnerabilities

Open Mic92 opened this issue 2 years ago • 1 comments

cargo audit for v0.1.2

Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 477 security advisories (from /home/joerg/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (141 crate dependencies) Crate: brotli-sys Version: 0.3.2 Title: Integer overflow in the bundled Brotli C library Date: 2021-12-20 ID: RUSTSEC-2021-0131 URL: https://rustsec.org/advisories/RUSTSEC-2021-0131 Solution: No fixed upgrade is available! Dependency tree: brotli-sys 0.3.2 └── brotli2 0.3.2 └── nix-index 0.1.2

Crate: crossbeam-deque Version: 0.6.1 Title: Data race in crossbeam-deque Date: 2021-07-30 ID: RUSTSEC-2021-0093 URL: https://rustsec.org/advisories/RUSTSEC-2021-0093 Solution: Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1 Dependency tree: crossbeam-deque 0.6.1 └── tokio-threadpool 0.1.6 ├── tokio-fs 0.1.3 │ └── tokio 0.1.8 │ └── tokio-core 0.1.17 │ ├── tokio-retry 0.1.1 │ │ └── nix-index 0.1.2 │ ├── tokio-proto 0.1.1 │ │ └── hyper 0.11.27 │ │ └── nix-index 0.1.2 │ ├── nix-index 0.1.2 │ └── hyper 0.11.27 └── tokio 0.1.8

Crate: hyper Version: 0.11.27 Title: Lenient hyper header parsing of Content-Length could allow request smuggling Date: 2021-07-07 ID: RUSTSEC-2021-0078 URL: https://rustsec.org/advisories/RUSTSEC-2021-0078 Solution: Upgrade to >=0.14.10 Dependency tree: hyper 0.11.27 └── nix-index 0.1.2

Crate: hyper Version: 0.11.27 Title: Integer overflow in hyper's parsing of the Transfer-Encoding header leads to data loss Date: 2021-07-07 ID: RUSTSEC-2021-0079 URL: https://rustsec.org/advisories/RUSTSEC-2021-0079 Solution: Upgrade to >=0.14.10

Crate: hyper Version: 0.11.27 Title: Flaw in hyper allows request smuggling by sending a body in GET requests Date: 2020-03-19 ID: RUSTSEC-2020-0008 URL: https://rustsec.org/advisories/RUSTSEC-2020-0008 Solution: Upgrade to >=0.12.34

Crate: owning_ref Version: 0.3.3 Title: Multiple soundness issues in owning_ref Date: 2022-01-26 ID: RUSTSEC-2022-0040 URL: https://rustsec.org/advisories/RUSTSEC-2022-0040 Solution: No fixed upgrade is available! Dependency tree: owning_ref 0.3.3 └── lock_api 0.1.3 └── parking_lot 0.6.4 └── tokio-reactor 0.1.5 ├── tokio-uds 0.2.1 │ └── tokio 0.1.8 │ └── tokio-core 0.1.17 │ ├── tokio-retry 0.1.1 │ │ └── nix-index 0.1.2 │ ├── tokio-proto 0.1.1 │ │ └── hyper 0.11.27 │ │ └── nix-index 0.1.2 │ ├── nix-index 0.1.2 │ └── hyper 0.11.27 ├── tokio-udp 0.1.2 │ └── tokio 0.1.8 ├── tokio-tcp 0.1.1 │ └── tokio 0.1.8 ├── tokio-core 0.1.17 └── tokio 0.1.8

Crate: regex Version: 1.0.5 Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse Date: 2022-03-08 ID: RUSTSEC-2022-0013 URL: https://rustsec.org/advisories/RUSTSEC-2022-0013 Solution: Upgrade to >=1.5.5 Dependency tree: regex 1.0.5 ├── nix-index 0.1.2 └── grep 0.1.9 └── nix-index 0.1.2

Crate: smallvec Version: 0.6.5 Title: Double-free and use-after-free in SmallVec::grow() Date: 2019-06-06 ID: RUSTSEC-2019-0009 URL: https://rustsec.org/advisories/RUSTSEC-2019-0009 Solution: Upgrade to >=0.6.10 Dependency tree: smallvec 0.6.5 └── parking_lot_core 0.3.1 └── parking_lot 0.6.4 └── tokio-reactor 0.1.5 ├── tokio-uds 0.2.1 │ └── tokio 0.1.8 │ └── tokio-core 0.1.17 │ ├── tokio-retry 0.1.1 │ │ └── nix-index 0.1.2 │ ├── tokio-proto 0.1.1 │ │ └── hyper 0.11.27 │ │ └── nix-index 0.1.2 │ ├── nix-index 0.1.2 │ └── hyper 0.11.27 ├── tokio-udp 0.1.2 │ └── tokio 0.1.8 ├── tokio-tcp 0.1.1 │ └── tokio 0.1.8 ├── tokio-core 0.1.17 └── tokio 0.1.8

Crate: smallvec Version: 0.6.5 Title: Buffer overflow in SmallVec::insert_many Date: 2021-01-08 ID: RUSTSEC-2021-0003 URL: https://rustsec.org/advisories/RUSTSEC-2021-0003 Solution: Upgrade to >=0.6.14, <1.0.0 OR >=1.6.1

Crate: smallvec Version: 0.6.5 Title: Memory corruption in SmallVec::grow() Date: 2019-07-19 ID: RUSTSEC-2019-0012 URL: https://rustsec.org/advisories/RUSTSEC-2019-0012 Solution: Upgrade to >=0.6.10

Crate: thread_local Version: 0.3.6 Title: Data race in Iter and IterMut Date: 2022-01-23 ID: RUSTSEC-2022-0006 URL: https://rustsec.org/advisories/RUSTSEC-2022-0006 Solution: Upgrade to >=1.1.4 Dependency tree: thread_local 0.3.6 └── regex 1.0.5 ├── nix-index 0.1.2 └── grep 0.1.9 └── nix-index 0.1.2

Crate: time Version: 0.1.40 Title: Potential segfault in the time crate Date: 2020-11-18 ID: RUSTSEC-2020-0071 URL: https://rustsec.org/advisories/RUSTSEC-2020-0071 Solution: Upgrade to >=0.2.23 Dependency tree: time 0.1.40 ├── stderr 0.8.0 │ └── nix-index 0.1.2 └── hyper 0.11.27 └── nix-index 0.1.2

Crate: ansi_term Version: 0.10.2 Warning: unmaintained Title: ansi_term is Unmaintained Date: 2021-08-18 ID: RUSTSEC-2021-0139 URL: https://rustsec.org/advisories/RUSTSEC-2021-0139 Dependency tree: ansi_term 0.10.2 └── nix-index 0.1.2

Crate: ansi_term Version: 0.11.0 Warning: unmaintained Title: ansi_term is Unmaintained Date: 2021-08-18 ID: RUSTSEC-2021-0139 URL: https://rustsec.org/advisories/RUSTSEC-2021-0139 Dependency tree: ansi_term 0.11.0 └── clap 2.32.0 └── nix-index 0.1.2

Crate: net2 Version: 0.2.33 Warning: unmaintained Title: net2 crate has been deprecated; use socket2 instead Date: 2020-05-01 ID: RUSTSEC-2020-0016 URL: https://rustsec.org/advisories/RUSTSEC-2020-0016 Dependency tree: net2 0.2.33 ├── tokio-proto 0.1.1 │ └── hyper 0.11.27 │ └── nix-index 0.1.2 ├── miow 0.2.1 │ └── mio 0.6.16 │ ├── tokio-uds 0.2.1 │ │ └── tokio 0.1.8 │ │ └── tokio-core 0.1.17 │ │ ├── tokio-retry 0.1.1 │ │ │ └── nix-index 0.1.2 │ │ ├── tokio-proto 0.1.1 │ │ ├── nix-index 0.1.2 │ │ └── hyper 0.11.27 │ ├── tokio-udp 0.1.2 │ │ └── tokio 0.1.8 │ ├── tokio-tcp 0.1.1 │ │ └── tokio 0.1.8 │ ├── tokio-reactor 0.1.5 │ │ ├── tokio-uds 0.2.1 │ │ ├── tokio-udp 0.1.2 │ │ ├── tokio-tcp 0.1.1 │ │ ├── tokio-core 0.1.17 │ │ └── tokio 0.1.8 │ ├── tokio-core 0.1.17 │ ├── tokio 0.1.8 │ └── mio-uds 0.6.7 │ └── tokio-uds 0.2.1 ├── mio 0.6.16 └── hyper 0.11.27

Crate: stderr Version: 0.8.0 Warning: unmaintained Title: stderr is unmaintained; use eprintln instead Date: 2020-12-22 ID: RUSTSEC-2020-0109 URL: https://rustsec.org/advisories/RUSTSEC-2020-0109 Dependency tree: stderr 0.8.0 └── nix-index 0.1.2

Crate: tokio-proto Version: 0.1.1 Warning: unmaintained Title: tokio-proto is deprecated/unmaintained Date: 2020-02-06 ID: RUSTSEC-2020-0162 URL: https://rustsec.org/advisories/RUSTSEC-2020-0162 Dependency tree: tokio-proto 0.1.1 └── hyper 0.11.27 └── nix-index 0.1.2

Crate: xml-rs Version: 0.8.0 Warning: unmaintained Title: xml-rs is Unmaintained Date: 2022-01-26 ID: RUSTSEC-2022-0048 URL: https://rustsec.org/advisories/RUSTSEC-2022-0048 Dependency tree: xml-rs 0.8.0 └── nix-index 0.1.2

Crate: miow Version: 0.2.1 Warning: yanked Dependency tree: miow 0.2.1 └── mio 0.6.16 ├── tokio-uds 0.2.1 │ └── tokio 0.1.8 │ └── tokio-core 0.1.17 │ ├── tokio-retry 0.1.1 │ │ └── nix-index 0.1.2 │ ├── tokio-proto 0.1.1 │ │ └── hyper 0.11.27 │ │ └── nix-index 0.1.2 │ ├── nix-index 0.1.2 │ └── hyper 0.11.27 ├── tokio-udp 0.1.2 │ └── tokio 0.1.8 ├── tokio-tcp 0.1.1 │ └── tokio 0.1.8 ├── tokio-reactor 0.1.5 │ ├── tokio-uds 0.2.1 │ ├── tokio-udp 0.1.2 │ ├── tokio-tcp 0.1.1 │ ├── tokio-core 0.1.17 │ └── tokio 0.1.8 ├── tokio-core 0.1.17 ├── tokio 0.1.8 └── mio-uds 0.6.7 └── tokio-uds 0.2.1

Crate: net2 Version: 0.2.33 Warning: yanked

Crate: smallvec Version: 0.6.5 Warning: yanked

error: 12 vulnerabilities found! warning: 9 allowed warnings found

The current master would bring this down to 4 security vulnerabilities

cargo audit for master

Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 477 security advisories (from /home/joerg/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (178 crate dependencies) Crate: brotli-sys Version: 0.3.2 Title: Integer overflow in the bundled Brotli C library Date: 2021-12-20 ID: RUSTSEC-2021-0131 URL: https://rustsec.org/advisories/RUSTSEC-2021-0131 Solution: No fixed upgrade is available! Dependency tree: brotli-sys 0.3.2 └── brotli2 0.3.2 └── nix-index 0.1.3

Crate: regex Version: 1.5.4 Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse Date: 2022-03-08 ID: RUSTSEC-2022-0013 URL: https://rustsec.org/advisories/RUSTSEC-2022-0013 Solution: Upgrade to >=1.5.5 Dependency tree: regex 1.5.4 ├── nix-index 0.1.3 ├── grep-regex 0.1.9 │ └── grep 0.2.8 │ └── nix-index 0.1.3 ├── grep-cli 0.1.6 │ └── grep 0.2.8 └── globset 0.4.8 └── grep-cli 0.1.6

Crate: thread_local Version: 1.1.3 Title: Data race in Iter and IterMut Date: 2022-01-23 ID: RUSTSEC-2022-0006 URL: https://rustsec.org/advisories/RUSTSEC-2022-0006 Solution: Upgrade to >=1.1.4 Dependency tree: thread_local 1.1.3 └── grep-regex 0.1.9 └── grep 0.2.8 └── nix-index 0.1.3

Crate: time Version: 0.1.43 Title: Potential segfault in the time crate Date: 2020-11-18 ID: RUSTSEC-2020-0071 URL: https://rustsec.org/advisories/RUSTSEC-2020-0071 Solution: Upgrade to >=0.2.23 Dependency tree: time 0.1.43 └── stderr 0.8.0 └── nix-index 0.1.3

Crate: ansi_term Version: 0.12.1 Warning: unmaintained Title: ansi_term is Unmaintained Date: 2021-08-18 ID: RUSTSEC-2021-0139 URL: https://rustsec.org/advisories/RUSTSEC-2021-0139 Dependency tree: ansi_term 0.12.1 └── nix-index 0.1.3

Crate: xml-rs Version: 0.8.4 Warning: unmaintained Title: xml-rs is Unmaintained Date: 2022-01-26 ID: RUSTSEC-2022-0048 URL: https://rustsec.org/advisories/RUSTSEC-2022-0048 Dependency tree: xml-rs 0.8.4 └── nix-index 0.1.3

Crate: cpufeatures Version: 0.2.1 Warning: yanked Dependency tree: cpufeatures 0.2.1 └── sha-1 0.9.8 └── headers 0.3.5 ├── nix-index 0.1.3 └── hyper-proxy 0.9.1 └── nix-index 0.1.3

error: 4 vulnerabilities found! warning: 4 allowed warnings found

Jan 08 '23 06:01 Mic92

Fixed everything except unmaintained xml-rs and ansi_term. Ansi term is a really small library so moving away from it has low priority. xml-rs is a bit bigger, but it's also a bit more work to migrate to something else. Perhaps we should find a better way to get the package attributes instead, since using nix-env is not optimal anyway (no support for flakes).

Jan 13 '23 13:01 bennofs