ci: the test job now builds the project first #8
Security advisories found
3 advisories, 2 unmaintained, 1 unsound
Details
Vulnerabilities
RUSTSEC-2022-0093
Double Public Key Signing Function Oracle Attack on
ed25519-dalek
| Details | |
|---|---|
| Package | ed25519-dalek |
| Version | 1.0.0-pre.3 |
| URL | https://github.com/MystenLabs/ed25519-unsafe-libs |
| Date | 2022-06-11 |
| Patched versions | >=2 |
Versions of ed25519-dalek prior to v2.0 model private and public keys as
separate types which can be assembled into a Keypair, and also provide APIs
for serializing and deserializing 64-byte private/public keypairs.
Such APIs and serializations are inherently unsafe as the public key is one of
the inputs used in the deterministic computation of the S part of the signature,
but not in the R value. An adversary could somehow use the signing function as
an oracle that allows arbitrary public keys as input can obtain two signatures
for the same message sharing the same R and only differ on the S part.
Unfortunately, when this happens, one can easily extract the private key.
Revised public APIs in v2.0 of ed25519-dalek do NOT allow a decoupled
private/public keypair as signing input, except as part of specially labeled
"hazmat" APIs which are clearly labeled as being dangerous if misused.
RUSTSEC-2022-0090
libsqlite3-sysvia C SQLite CVE-2022-35737
| Details | |
|---|---|
| Package | libsqlite3-sys |
| Version | 0.20.1 |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2022-35737 |
| Date | 2022-08-03 |
| Patched versions | >=0.25.1 |
It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an array-bounds overflow when large string were input into SQLite's printf function.
As libsqlite3-sys bundles SQLite, it is susceptible to the vulnerability. libsqlite3-sys was updated to bundle the patched version of SQLite here.
RUSTSEC-2020-0071
Potential segfault in the time crate
| Details | |
|---|---|
| Package | time |
| Version | 0.1.45 |
| URL | time-rs/time#293 |
| Date | 2020-11-18 |
| Patched versions | >=0.2.23 |
| Unaffected versions | =0.2.0,=0.2.1,=0.2.2,=0.2.3,=0.2.4,=0.2.5,=0.2.6 |
Impact
Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
The affected functions from time 0.2.7 through 0.2.22 are:
time::UtcOffset::local_offset_attime::UtcOffset::try_local_offset_attime::UtcOffset::current_local_offsettime::UtcOffset::try_current_local_offsettime::OffsetDateTime::now_localtime::OffsetDateTime::try_now_local
The affected functions in time 0.1 (all versions) are:
atat_utcnow
Non-Unix targets (including Windows and wasm) are unaffected.
Patches
Pending a proper fix, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods.
Users and library authors with time in their dependency tree should perform cargo update, which will pull in the updated, unaffected code.
Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.
Workarounds
A possible workaround for crates affected through the transitive dependency in chrono, is to avoid using the default oldtime feature dependency of the chrono crate by disabling its default-features and manually specifying the required features instead.
Examples:
Cargo.toml:
chrono = { version = "0.4", default-features = false, features = ["serde"] }chrono = { version = "0.4.22", default-features = false, features = ["clock"] }Commandline:
cargo add chrono --no-default-features -F clockSources:
Warnings
RUSTSEC-2020-0168
mach is unmaintained
| Details | |
|---|---|
| Status | unmaintained |
| Package | mach |
| Version | 0.3.2 |
| URL | fitzgen/mach#63 |
| Date | 2020-07-14 |
Last release was almost 4 years ago.
Maintainer(s) seem to be completely unreachable.
Possible Alternative(s)
These may or may not be suitable alternatives and have not been vetted in any way;
- mach2 - direct fork
RUSTSEC-2020-0056
stdweb is unmaintained
| Details | |
|---|---|
| Status | unmaintained |
| Package | stdweb |
| Version | 0.4.20 |
| URL | koute/stdweb#403 |
| Date | 2020-05-04 |
The author of the stdweb crate is unresponsive.
Maintained alternatives:
RUSTSEC-2021-0145
Potential unaligned read
| Details | |
|---|---|
| Status | unsound |
| Package | atty |
| Version | 0.2.14 |
| URL | softprops/atty#50 |
| Date | 2021-07-04 |
On windows, atty dereferences a potentially unaligned pointer.
In practice however, the pointer won't be unaligned unless a custom global allocator is used.
In particular, the System allocator on windows uses HeapAlloc, which guarantees a large enough alignment.
atty is Unmaintained
A Pull Request with a fix has been provided over a year ago but the maintainer seems to be unreachable.
Last release of atty was almost 3 years ago.
Possible Alternative(s)
The below list has not been vetted in any way and may or may not contain alternatives;
- std::io::IsTerminal - Stable since Rust 1.70.0
- is-terminal - Standalone crate supporting Rust older than 1.70.0