Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 864022 - app-misc/skim: 'cargo audit' reports one or more bundled CRATES as vulnerable
Summary: app-misc/skim: 'cargo audit' reports one or more bundled CRATES as vulnerable
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-06 15:29 UTC by Agostino Sarubbo
Modified: 2024-01-14 14:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2022-08-06 15:29:20 UTC 
Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (82 crate dependencies)
Crate:     beef
Version:   0.4.4
Title:     beef::Cow lacks a Sync bound on its Send trait allowing for data races
Date:      2020-10-28
ID:        RUSTSEC-2020-0122
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0122
Solution:  Upgrade to >=0.5.0
Dependency tree:
beef 0.4.4

Crate:     chrono
Version:   0.4.19
Title:     Potential segfault in `localtime_r` invocations
Date:      2020-11-10
ID:        RUSTSEC-2020-0159
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:  Upgrade to >=0.4.20
Dependency tree:
chrono 0.4.19

Crate:     crossbeam-deque
Version:   0.7.3
Title:     Data race in crossbeam-deque
Date:      2021-07-30
ID:        RUSTSEC-2021-0093
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0093
Solution:  Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1
Dependency tree:
crossbeam-deque 0.7.3

Crate:     regex
Version:   1.4.1
Title:     Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date:      2022-03-08
ID:        RUSTSEC-2022-0013
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution:  Upgrade to >=1.5.5
Dependency tree:
regex 1.4.1

Crate:     thread_local
Version:   1.0.1
Title:     Data race in `Iter` and `IterMut`
Date:      2022-01-23
ID:        RUSTSEC-2022-0006
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution:  Upgrade to >=1.1.4
Dependency tree:
thread_local 1.0.1

Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44

Crate:     term
Version:   0.6.1
Warning:   unmaintained
Title:     term is looking for a new maintainer
Date:      2018-11-19
ID:        RUSTSEC-2018-0015
URL:       https://rustsec.org/advisories/RUSTSEC-2018-0015
Dependency tree:
term 0.6.1

error: 6 vulnerabilities found!
warning: 1 allowed warning found
Comment 1 Larry the Git Cow gentoo-dev 2024-01-14 14:46:24 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=acc699738b23e09aa5fcf13e686ef55c55109456

commit acc699738b23e09aa5fcf13e686ef55c55109456
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-01-14 14:45:29 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-01-14 14:45:29 +0000

    app-misc/skim: add 0.10.4
    
    Closes: https://bugs.gentoo.org/864022
    Closes: https://bugs.gentoo.org/910423
    Signed-off-by: Sam James <sam@gentoo.org>

 app-misc/skim/Manifest           |  90 ++++++++++++++++++++++++
 app-misc/skim/skim-0.10.4.ebuild | 148 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 238 insertions(+)