Dear maintainer(s), 'cargo audit' reports one or more bundled CRATES as vulnerable. To reproduce please install dev-util/cargo-audit and run: cargo audit --file Cargo.lock where Cargo.lock is generated during the build of this package. For simplicity, I'm attaching here the content of 'cargo audit' here: Loaded 433 security advisories (from /tmp/advisory-db) Scanning Cargo.lock for vulnerabilities (285 crate dependencies) Crate: regex Version: 1.5.4 Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse Date: 2022-03-08 ID: RUSTSEC-2022-0013 URL: https://rustsec.org/advisories/RUSTSEC-2022-0013 Solution: Upgrade to >=1.5.5 Dependency tree: regex 1.5.4 Crate: thread_local Version: 1.1.3 Title: Data race in `Iter` and `IterMut` Date: 2022-01-23 ID: RUSTSEC-2022-0006 URL: https://rustsec.org/advisories/RUSTSEC-2022-0006 Solution: Upgrade to >=1.1.4 Dependency tree: thread_local 1.1.3 Crate: stdweb Version: 0.4.20 Warning: unmaintained Title: stdweb is unmaintained Date: 2020-05-04 ID: RUSTSEC-2020-0056 URL: https://rustsec.org/advisories/RUSTSEC-2020-0056 Dependency tree: stdweb 0.4.20 error: 2 vulnerabilities found! warning: 1 allowed warning found
Post 0.5.4-r1: Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 556 security advisories (from /home/kangie/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (127 crate dependencies) Crate: ansi_term Version: 0.12.1 Warning: unmaintained Title: ansi_term is Unmaintained Date: 2021-08-18 ID: RUSTSEC-2021-0139 URL: https://rustsec.org/advisories/RUSTSEC-2021-0139 Dependency tree: ansi_term 0.12.1 └── clap 2.34.0 └── structopt 0.3.26 └── cargo-ebuild 0.5.4-r1 Crate: atty Version: 0.2.14 Warning: unsound Title: Potential unaligned read Date: 2021-07-04 ID: RUSTSEC-2021-0145 URL: https://rustsec.org/advisories/RUSTSEC-2021-0145 Dependency tree: atty 0.2.14 └── clap 2.34.0 └── structopt 0.3.26 └── cargo-ebuild 0.5.4-r1 Crate: crossbeam-channel Version: 0.5.6 Warning: yanked Dependency tree: crossbeam-channel 0.5.6 └── rayon-core 1.10.1 └── rayon 1.6.1 └── crates-index 0.18.11 └── rustsec 0.26.4 └── cargo-ebuild 0.5.4-r1 warning: 3 allowed warnings found
0.5.4-r1 (and the dropping of previous versions) resolves: https://rustsec.org/advisories/RUSTSEC-2023-0003
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=57149dc1d7024478fa62a9f986510ba462ffaa74 commit 57149dc1d7024478fa62a9f986510ba462ffaa74 Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2023-08-14 09:13:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-08-26 03:50:17 +0000 dev-util/cargo-ebuild: add 0.5.4-r1 - Trivial fixes for compatibility with modern cargo.eclass - https://rustsec.org/advisories/RUSTSEC-2023-0003 Bug: https://bugs.gentoo.org/864061 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Signed-off-by: Sam James <sam@gentoo.org> dev-util/cargo-ebuild/Manifest | 1 + dev-util/cargo-ebuild/cargo-ebuild-0.5.4-r1.ebuild | 176 +++++++++++++++++++++ .../cargo-ebuild-0.5.4-updated-eclass-style.patch | 60 +++++++ 3 files changed, 237 insertions(+)