Cargo Audit Flagged Some Security Issues

Question

Cargo Audit Flagged Some Security Issues

bvaisvil opened this issue 4 years ago · comments

The cargo audit failed because of heim dependency raw-cpuid:

Crate:         raw-cpuid
Version:       8.1.2
Title:         Soundness issues in `raw-cpuid`
Date:          2021-01-20
ID:            RUSTSEC-2021-0013
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0013
Solution:      Upgrade to >=9.0.0
Dependency tree:
raw-cpuid 8.1.2
└── heim-virt 0.1.0-rc.1
    └── heim 0.1.0-rc.1
        └── zenith 0.12.0

error: 1 vulnerability found!

There's a pull request that would fix the issue, but as of yet is not merged: heim-rs/heim#308

Benjamin Vaisvil · Answer 1 · Thu Sep 09 2021 13:13:49 GMT+0800 (China Standard Time)

Crate:         crossbeam-deque
Version:       0.8.0
Title:         Data race in crossbeam-deque
Date:          2021-07-30
ID:            RUSTSEC-2021-0093
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0093
Solution:      Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1
Dependency tree:
crossbeam-deque 0.8.0
├── rayon-core 1.9.0
│   └── rayon 1.5.0
│       └── sysinfo 0.15.1
│           └── zenith 0.12.0
└── rayon 1.5.0

Crate:         raw-cpuid
Version:       8.1.2
Title:         Optional `Deserialize` implementations lacking validation
Date:          2021-01-20
ID:            RUSTSEC-2021-0089
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0089
Solution:      Upgrade to >=9.1.1
Dependency tree:
raw-cpuid 8.1.2
└── heim-virt 0.1.0-rc.1
    └── heim 0.1.0-rc.1
        └── zenith 0.12.0

Crate:         raw-cpuid
Version:       8.1.2
Title:         Soundness issues in `raw-cpuid`
Date:          2021-01-20
ID:            RUSTSEC-2021-0013
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0013
Solution:      Upgrade to >=9.0.0

Benjamin Vaisvil · Answer 2 · Thu Sep 09 2021 13:15:17 GMT+0800 (China Standard Time)

Updating my branch of sysinfo should fix the crossbeam one. Looks like cpuid was updated, I think updating the branch of heim I'm using may fix that.

Benjamin Vaisvil · Answer 3 · Tue Sep 21 2021 03:58:18 GMT+0800 (China Standard Time)

Updating heim didn't change which version of cpuid was being used. So I'm not sure where to go from here.

Benjamin Vaisvil · Answer 4 · Fri Nov 04 2022 01:06:48 GMT+0800 (China Standard Time)

Latest commit fixes the issue with nix version by using my own branch of heim.


    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 468 security advisories (from /home/benjamin/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (200 crate dependencies)
Crate:         regex
Version:       1.4.6
Title:         Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date:          2022-03-08
ID:            RUSTSEC-2022-0013
URL:           https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution:      Upgrade to >=1.5.5
Dependency tree:
regex 1.4.6
├── env_logger 0.9.1
│   ├── zenith 0.14.0
│   └── bindgen 0.59.2
│       └── linux-taskstats 0.2.0
│           └── zenith 0.14.0
└── bindgen 0.59.2

Crate:         time
Version:       0.1.44
Title:         Potential segfault in the time crate
Date:          2020-11-18
ID:            RUSTSEC-2020-0071
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:      Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
└── chrono 0.4.22
    └── zenith 0.14.0

Crate:         ansi_term
Version:       0.12.1
Warning:       unmaintained
Title:         ansi_term is Unmaintained
Date:          2021-08-18
ID:            RUSTSEC-2021-0139
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── clap 2.34.0
    └── bindgen 0.59.2
        └── linux-taskstats 0.2.0
            └── zenith 0.14.0

error: 2 vulnerabilities found!
warning: 1 allowed warning found```