863992 – app-backup/rdedup: 'cargo audit' reports one or more bundled CRATES as vulnerable

Bug 863992 - app-backup/rdedup: 'cargo audit' reports one or more bundled CRATES as vulnerable

Summary: app-backup/rdedup: 'cargo audit' reports one or more bundled CRATES as vulner...

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:	921367
Blocks:
	Show dependency tree

Reported:	2022-08-06 15:24 UTC by Agostino Sarubbo
Modified:	2024-03-17 10:39 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2022-08-06 15:24:50 UTC

Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (32 crate dependencies)
Crate:     regex
Version:   0.1.80
Title:     Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date:      2022-03-08
ID:        RUSTSEC-2022-0013
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution:  Upgrade to >=1.5.5
Dependency tree:
regex 0.1.80

Crate:     rust-crypto
Version:   0.2.36
Title:     Miscomputation when performing AES encryption in rust-crypto
Date:      2022-02-28
ID:        RUSTSEC-2022-0011
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0011
Solution:  No fixed upgrade is available!
Dependency tree:
rust-crypto 0.2.36

Crate:     rustc-serialize
Version:   0.3.22
Title:     Stack overflow in rustc_serialize when parsing deeply nested JSON
Date:      2022-01-01
ID:        RUSTSEC-2022-0004
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0004
Solution:  No fixed upgrade is available!
Dependency tree:
rustc-serialize 0.3.22

Crate:     sodiumoxide
Version:   0.0.12
Title:     scalarmult() vulnerable to degenerate public keys
Date:      2017-01-26
ID:        RUSTSEC-2017-0001
URL:       https://rustsec.org/advisories/RUSTSEC-2017-0001
Solution:  Upgrade to >=0.0.14
Dependency tree:
sodiumoxide 0.0.12

Crate:     sodiumoxide
Version:   0.0.12
Title:     generichash::Digest::eq always return true
Date:      2019-10-11
ID:        RUSTSEC-2019-0026
URL:       https://rustsec.org/advisories/RUSTSEC-2019-0026
Solution:  Upgrade to >=0.2.5

Crate:     thread_local
Version:   0.2.7
Title:     Data race in `Iter` and `IterMut`
Date:      2022-01-23
ID:        RUSTSEC-2022-0006
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution:  Upgrade to >=1.1.4
Dependency tree:
thread_local 0.2.7

Crate:     time
Version:   0.1.36
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.36

Crate:     rust-crypto
Version:   0.2.36
Warning:   unmaintained
Title:     rust-crypto is unmaintained; switch to a modern alternative
Date:      2016-09-06
ID:        RUSTSEC-2016-0005
URL:       https://rustsec.org/advisories/RUSTSEC-2016-0005

error: 7 vulnerabilities found!
warning: 1 allowed warning found