Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 864010 - app-emulation/ruffle: 'cargo audit' reports one or more bundled CRATES as vulnerable
Summary: app-emulation/ruffle: 'cargo audit' reports one or more bundled CRATES as vul...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/germangb/minimp3-r...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-06 15:28 UTC by Agostino Sarubbo
Modified: 2022-12-30 21:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2022-08-06 15:28:24 UTC
Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (513 crate dependencies)
Crate:     chrono
Version:   0.4.19
Title:     Potential segfault in `localtime_r` invocations
Date:      2020-11-10
ID:        RUSTSEC-2020-0159
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:  Upgrade to >=0.4.20
Dependency tree:
chrono 0.4.19

Crate:     slice-deque
Version:   0.3.0
Title:     SliceDeque::drain_filter can double drop an element if the predicate panics
Date:      2021-02-19
ID:        RUSTSEC-2021-0047
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0047
Solution:  No fixed upgrade is available!
Dependency tree:
slice-deque 0.3.0

Crate:     time
Version:   0.1.43
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.43

Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44

Crate:     xcb
Version:   0.8.2
Title:     Multiple soundness issues
Date:      2021-02-04
ID:        RUSTSEC-2021-0019
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0019
Solution:  Upgrade to >=1.0
Dependency tree:
xcb 0.8.2

Crate:     slice-deque
Version:   0.3.0
Warning:   unmaintained
Title:     slice-deque is unmaintained
Date:      2020-02-10
ID:        RUSTSEC-2020-0158
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0158

Crate:     stdweb
Version:   0.1.3
Warning:   unmaintained
Title:     stdweb is unmaintained
Date:      2020-05-04
ID:        RUSTSEC-2020-0056
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree:
stdweb 0.1.3

error: 5 vulnerabilities found!
warning: 2 allowed warnings found
Comment 1 Larry the Git Cow gentoo-dev 2022-12-12 07:16:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fed53f82a47f6c82d30a0c42575b840034516a04

commit fed53f82a47f6c82d30a0c42575b840034516a04
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2022-12-12 05:47:32 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2022-12-12 07:12:31 +0000

    app-emulation/ruffle: add 0_p20221212
    
    To update wrt bug #86401, only slice-deque-0.3.0 issue remains
    which is waiting for minimp3's upstream (there is a migration
    PR but progress been kind of stalled).
    
    This replaces x11-clipboard by arboard and thus removes the need
    for old xcb crate and python-any-r1.
    
    Adjust X deps to be match what winit crate uses more closely.
    Arboard and winit have some degree of wayland support but this
    didn't work so well with ruffle yet from a quick try.
    
    Bug: https://bugs.gentoo.org/864010
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 app-emulation/ruffle/Manifest                  |  71 +++
 app-emulation/ruffle/ruffle-0_p20221212.ebuild | 583 +++++++++++++++++++++++++
 2 files changed, 654 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-12-29 20:29:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=947742fff69af49cd9a5bd4b5f22313cd53acfc0

commit 947742fff69af49cd9a5bd4b5f22313cd53acfc0
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2022-12-29 17:22:51 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2022-12-29 20:28:56 +0000

    app-emulation/ruffle: drop vulnerable 0_p20221212
    
    Bug: https://bugs.gentoo.org/864010
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 app-emulation/ruffle/Manifest                  |  49 ---
 app-emulation/ruffle/ruffle-0_p20221212.ebuild | 583 -------------------------
 2 files changed, 632 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a596739245e52bcd5e5c162b5543f35748ca6da

commit 7a596739245e52bcd5e5c162b5543f35748ca6da
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2022-12-29 17:16:30 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2022-12-29 20:28:56 +0000

    app-emulation/ruffle: add 0_p20221229
    
    all done wrt bug #864010, minimp3 is no longer used and so
    neither is slice-deque (and no new vulns from cargo audit).
    
    Bug: https://bugs.gentoo.org/864010
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 app-emulation/ruffle/Manifest                  |  46 ++
 app-emulation/ruffle/ruffle-0_p20221229.ebuild | 580 +++++++++++++++++++++++++
 2 files changed, 626 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-30 21:14:53 UTC
Thanks! All done then.