Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cargo audit failing #544

Closed
2 tasks
ionut-arm opened this issue Oct 18, 2021 · 2 comments
Closed
2 tasks

Cargo audit failing #544

ionut-arm opened this issue Oct 18, 2021 · 2 comments
Labels
bug Something isn't working security Issues related to the security and privacy of the service

Comments

@ionut-arm
Copy link
Member

ionut-arm commented Oct 18, 2021
edited
Loading

As can be seen here, cargo-audit fails due to a number of issues occurring lower in the crate dependency tree. Thus we cannot fix any of the issues directly by updating dependencies of Parsec (yet), but we might be able to help with updating our dependencies in that regard.

The main issue that must be fixed is the segfault that was discovered in time, which is ultimately a dependency of spiffe. Currently a fix for this is blocked because the PR attempting to bump the import in chrono is stalled (see here).

The other issues regarding yanked versions of const-oid and der are waiting for updates up in the chain, which end up feeding into spiffe again. Our plan of action should be to report this to the owner of spiffe, and whenever updates are available to help with patching them there.

  • time dependency fixed
  • der and const-oid dependencies fixed
@ionut-arm ionut-arm added bug Something isn't working security Issues related to the security and privacy of the service labels Oct 18, 2021
@ionut-arm
Copy link
Member Author

ionut-arm commented Jan 28, 2022
edited
Loading

The more pressing, time-related vulnerability has the following "culprits" in our dependency tree (NOTE that although these crates use the vulnerable versions of time and chrono, they don't necessarily use the vulnerable methods):

Crate:         chrono
Version:       0.4.19
error: 3 vulnerabilities found!
Title:         Potential segfault in `localtime_r` invocations
Date:          2020-11-10
ID:            RUSTSEC-2020-0159
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:      No safe upgrade is available!
Dependency tree: 
chrono 0.4.19
├── x509-parser 0.9.2
│   └── spiffe 0.2.0
│       └── parsec-service 0.8.1
├── spiffe 0.2.0
├── simple_asn1 0.5.4
└── simple_asn1 0.4.1

Crate:         time
Version:       0.1.44
Title:         Potential segfault in the time crate
Date:          2020-11-18
ID:            RUSTSEC-2020-0071
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:      Upgrade to >=0.2.23
Dependency tree: 
time 0.1.44
└── chrono 0.4.19
    ├── x509-parser 0.9.2
    │   └── spiffe 0.2.0
    │       └── parsec-service 0.8.1
    ├── spiffe 0.2.0
    ├── simple_asn1 0.5.4
    └── simple_asn1 0.4.1

There is also a problem with rusqlite that I will fix in a new PR shortly( cc @MattDavis00 ):

Crate:         rusqlite
Version:       0.25.3
Title:         Incorrect Lifetime Bounds on Closures in `rusqlite`
Date:          2021-12-07
ID:            RUSTSEC-2021-0128
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0128
Solution:      Upgrade to >=0.26.2 OR ^0.25.4
Dependency tree: 
rusqlite 0.25.3
└── parsec-service 0.8.1

@ionut-arm
Copy link
Member Author

The vulnerability related to chrono/time has been posted as a security advisory here and this PR is removing it from the list of vulnerabilities reported by cargo-audit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working security Issues related to the security and privacy of the service
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ionut-arm