Giters

hrkfdn / ncspot

Cross-platform ncurses Spotify client written in Rust, inspired by ncmpc and the likes.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Security vulnerabilities found by `cargo audit`

jlkDE opened this issue · comments

commented

Describe the bug

Hello, I am one of the openSUSE ncspot package maintainers.

The package build routines nowadays include a check via cargo audit to only allow updates without security vulnerabilities. The current version v1.0.0 fails that check because of 5 discovered vulnerabilities:

Crate:     ncurses
Version:   5.101.0
Title:     Buffer overflow and format vulnerabilities in functions exposed without unsafe
Date:      2019-06-15
ID:        RUSTSEC-2019-0006
URL:       https://rustsec.org/advisories/RUSTSEC-2019-0006
Solution:  No fixed upgrade is available!
Dependency tree:
ncurses 5.101.0
├── pancurses 0.17.0
│   ├── ncspot 1.0.0
│   │   └── xtask 0.1.0
│   └── cursive 0.20.0
│       └── ncspot 1.0.0
└── cursive 0.20.0

Crate:     owning_ref
Version:   0.4.1
Title:     Multiple soundness issues in `owning_ref`
Date:      2022-01-26
ID:        RUSTSEC-2022-0040
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0040
Solution:  No fixed upgrade is available!
Dependency tree:
owning_ref 0.4.1
└── cursive_core 0.3.7
    ├── cursive_buffered_backend 0.6.1
    │   └── ncspot 1.0.0
    │       └── xtask 0.1.0
    └── cursive 0.20.0
        └── ncspot 1.0.0

Crate:     pancurses
Version:   0.17.0
Title:     Format string vulnerabilities in `pancurses`
Date:      2019-06-15
ID:        RUSTSEC-2019-0005
URL:       https://rustsec.org/advisories/RUSTSEC-2019-0005
Severity:  7.5 (high)
Solution:  No fixed upgrade is available!
Dependency tree:
pancurses 0.17.0
├── ncspot 1.0.0
│   └── xtask 0.1.0
└── cursive 0.20.0
    └── ncspot 1.0.0

Crate:     parse_duration
Version:   2.1.1
Title:     Denial of service through parsing payloads with too big exponent
Date:      2021-03-18
ID:        RUSTSEC-2021-0041
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0041
Severity:  7.5 (high)
Solution:  No fixed upgrade is available!
Dependency tree:
parse_duration 2.1.1
└── ncspot 1.0.0
    └── xtask 0.1.0

Crate:     xcb
Version:   0.8.2
Title:     Multiple soundness issues
Date:      2021-02-04
ID:        RUSTSEC-2021-0019
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0019
Solution:  Upgrade to >=1.0
Dependency tree:
xcb 0.8.2
└── x11-clipboard 0.3.3
    └── clipboard 0.5.0
        └── ncspot 1.0.0
            └── xtask 0.1.0

To Reproduce

Steps to reproduce the behavior:

  1. Run cargo audit in the root directory.

Expected behavior

Generally the best course of action would be to fix all issues, but if they are not applicable or exploitable in the way the dependencies are used by ncspot we could ignore them.
My proposal would be the following:

  1. RUSTSEC-2019-0006: To me this sounds like an inevitable problem of the ncurses crate, but I found no usages of the affected functions. Can we ignore the report right now?
  2. RUSTSEC-2022-0040: The advisory mentions the save replacement safer_owning_ref, would that work?
  3. RUSTSEC-2019-0005: Similar to RUSTSEC-2019-0006
  4. RUSTSEC-2021-0041: parse_duration seems to only be used for the seek functionality, maybe you could add an documentation disclaimer to that or limit the possible input range?
  5. RUSTSEC-2021-0019: The proposed solution would be to upgrade the dependency to a version >= 1.0, would that work?

Right now I am building the package with ignoring the report, but I would like to clarify if there are security risks before submitting it to the main branch.

commented

Hi, almost all of these are due to transitive dependencies that are needed by cursive, which we can't really swap I believe:

For the last one we'd have to switch to a different clipboard library. Not sure how much that would help, though.