864004 – app-crypt/sequoia-sq: 'cargo audit' reports one or more bundled CRATES as vulnerable

Bug 864004 - app-crypt/sequoia-sq: 'cargo audit' reports one or more bundled CRATES as vulnerable

Summary: app-crypt/sequoia-sq: 'cargo audit' reports one or more bundled CRATES as vul...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [stable?]
Keywords:

Depends on:
Blocks:

Reported:	2022-08-06 15:27 UTC by Agostino Sarubbo
Modified:	2024-06-03 00:44 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2022-08-06 15:27:34 UTC

Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (544 crate dependencies)
Crate:     chrono
Version:   0.4.19
Title:     Potential segfault in `localtime_r` invocations
Date:      2020-11-10
ID:        RUSTSEC-2020-0159
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:  Upgrade to >=0.4.20
Dependency tree:
chrono 0.4.19

Crate:     regex
Version:   1.5.4
Title:     Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date:      2022-03-08
ID:        RUSTSEC-2022-0013
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution:  Upgrade to >=1.5.5
Dependency tree:
regex 1.5.4

Crate:     thread_local
Version:   1.1.3
Title:     Data race in `Iter` and `IterMut`
Date:      2022-01-23
ID:        RUSTSEC-2022-0006
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution:  Upgrade to >=1.1.4
Dependency tree:
thread_local 1.1.3

Crate:     time
Version:   0.1.43
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.43

Crate:     aes-soft
Version:   0.6.4
Warning:   unmaintained
Title:     `aes-soft` has been merged into the `aes` crate
Date:      2021-04-29
ID:        RUSTSEC-2021-0060
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0060
Dependency tree:
aes-soft 0.6.4

Crate:     aesni
Version:   0.10.0
Warning:   unmaintained
Title:     `aesni` has been merged into the `aes` crate
Date:      2021-04-29
ID:        RUSTSEC-2021-0059
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0059
Dependency tree:
aesni 0.10.0

Crate:     serde_cbor
Version:   0.11.2
Warning:   unmaintained
Title:     serde_cbor is unmaintained
Date:      2021-08-15
ID:        RUSTSEC-2021-0127
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0127
Dependency tree:
serde_cbor 0.11.2

Crate:     term_size
Version:   0.3.2
Warning:   unmaintained
Title:     `term_size` is unmaintained; use `terminal_size` instead
Date:      2020-11-03
ID:        RUSTSEC-2020-0163
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0163
Dependency tree:
term_size 0.3.2

error: 4 vulnerabilities found!
warning: 4 allowed warnings found

Comment 1 Larry the Git Cow gentoo-dev

2023-12-24 02:55:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=681dd8889e4c38b9c2449257495567b0ab2daf6f

commit 681dd8889e4c38b9c2449257495567b0ab2daf6f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-12-24 02:29:27 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-12-24 02:30:04 +0000

    app-crypt/sequoia-sq: drop 0.31.0
    
    Bug: https://bugs.gentoo.org/862300
    Bug: https://bugs.gentoo.org/864004
    Signed-off-by: Sam James <sam@gentoo.org>

 app-crypt/sequoia-sq/sequoia-sq-0.31.0.ebuild | 511 --------------------------
 1 file changed, 511 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=254d4abc8fc14cc0d6a4fd9b90170f0a0280f061

commit 254d4abc8fc14cc0d6a4fd9b90170f0a0280f061
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-12-24 02:29:13 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-12-24 02:30:02 +0000

    app-crypt/sequoia-sq: add 0.32.0
    
    Bug: https://bugs.gentoo.org/862300
    Bug: https://bugs.gentoo.org/864004
    Signed-off-by: Sam James <sam@gentoo.org>

 app-crypt/sequoia-sq/Manifest                 | 261 +++++++++++++
 app-crypt/sequoia-sq/sequoia-sq-0.32.0.ebuild | 531 ++++++++++++++++++++++++++
 2 files changed, 792 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2024-06-03 00:44:37 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c823b82db78b15ea38f0716b124cac382d94d62

commit 4c823b82db78b15ea38f0716b124cac382d94d62
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-06-03 00:34:36 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-06-03 00:34:36 +0000

    app-crypt/sequoia-sq: drop 0.33.0, 0.34.0-r1
    
    Closes: https://bugs.gentoo.org/864004
    Closes: https://bugs.gentoo.org/862300
    Signed-off-by: Sam James <sam@gentoo.org>

 app-crypt/sequoia-sq/Manifest                    | 191 --------
 app-crypt/sequoia-sq/sequoia-sq-0.33.0.ebuild    | 527 ----------------------
 app-crypt/sequoia-sq/sequoia-sq-0.34.0-r1.ebuild | 550 -----------------------
 3 files changed, 1268 deletions(-)