Cargo Audit Flagged Some Security Issues
bvaisvil opened this issue · comments
Benjamin Vaisvil commented
The cargo audit
failed because of heim
dependency raw-cpuid
:
Crate: raw-cpuid
Version: 8.1.2
Title: Soundness issues in `raw-cpuid`
Date: 2021-01-20
ID: RUSTSEC-2021-0013
URL: https://rustsec.org/advisories/RUSTSEC-2021-0013
Solution: Upgrade to >=9.0.0
Dependency tree:
raw-cpuid 8.1.2
└── heim-virt 0.1.0-rc.1
└── heim 0.1.0-rc.1
└── zenith 0.12.0
error: 1 vulnerability found!
There's a pull request that would fix the issue, but as of yet is not merged: heim-rs/heim#308
Benjamin Vaisvil commented
Crate: crossbeam-deque
Version: 0.8.0
Title: Data race in crossbeam-deque
Date: 2021-07-30
ID: RUSTSEC-2021-0093
URL: https://rustsec.org/advisories/RUSTSEC-2021-0093
Solution: Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1
Dependency tree:
crossbeam-deque 0.8.0
├── rayon-core 1.9.0
│ └── rayon 1.5.0
│ └── sysinfo 0.15.1
│ └── zenith 0.12.0
└── rayon 1.5.0
Crate: raw-cpuid
Version: 8.1.2
Title: Optional `Deserialize` implementations lacking validation
Date: 2021-01-20
ID: RUSTSEC-2021-0089
URL: https://rustsec.org/advisories/RUSTSEC-2021-0089
Solution: Upgrade to >=9.1.1
Dependency tree:
raw-cpuid 8.1.2
└── heim-virt 0.1.0-rc.1
└── heim 0.1.0-rc.1
└── zenith 0.12.0
Crate: raw-cpuid
Version: 8.1.2
Title: Soundness issues in `raw-cpuid`
Date: 2021-01-20
ID: RUSTSEC-2021-0013
URL: https://rustsec.org/advisories/RUSTSEC-2021-0013
Solution: Upgrade to >=9.0.0
Benjamin Vaisvil commented
Updating my branch of sysinfo
should fix the crossbeam one. Looks like cpuid
was updated, I think updating the branch of heim
I'm using may fix that.
Benjamin Vaisvil commented
Updating heim
didn't change which version of cpuid
was being used. So I'm not sure where to go from here.
Benjamin Vaisvil commented
Latest commit fixes the issue with nix
version by using my own branch of heim
.
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 468 security advisories (from /home/benjamin/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (200 crate dependencies)
Crate: regex
Version: 1.4.6
Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date: 2022-03-08
ID: RUSTSEC-2022-0013
URL: https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution: Upgrade to >=1.5.5
Dependency tree:
regex 1.4.6
├── env_logger 0.9.1
│ ├── zenith 0.14.0
│ └── bindgen 0.59.2
│ └── linux-taskstats 0.2.0
│ └── zenith 0.14.0
└── bindgen 0.59.2
Crate: time
Version: 0.1.44
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
└── chrono 0.4.22
└── zenith 0.14.0
Crate: ansi_term
Version: 0.12.1
Warning: unmaintained
Title: ansi_term is Unmaintained
Date: 2021-08-18
ID: RUSTSEC-2021-0139
URL: https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── clap 2.34.0
└── bindgen 0.59.2
└── linux-taskstats 0.2.0
└── zenith 0.14.0
error: 2 vulnerabilities found!
warning: 1 allowed warning found```