Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 863992

Summary: app-backup/rdedup: 'cargo audit' reports one or more bundled CRATES as vulnerable
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: robbat2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 921367    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2022-08-06 15:24:50 UTC 
Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (32 crate dependencies)
Crate:     regex
Version:   0.1.80
Title:     Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date:      2022-03-08
ID:        RUSTSEC-2022-0013
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution:  Upgrade to >=1.5.5
Dependency tree:
regex 0.1.80

Crate:     rust-crypto
Version:   0.2.36
Title:     Miscomputation when performing AES encryption in rust-crypto
Date:      2022-02-28
ID:        RUSTSEC-2022-0011
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0011
Solution:  No fixed upgrade is available!
Dependency tree:
rust-crypto 0.2.36

Crate:     rustc-serialize
Version:   0.3.22
Title:     Stack overflow in rustc_serialize when parsing deeply nested JSON
Date:      2022-01-01
ID:        RUSTSEC-2022-0004
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0004
Solution:  No fixed upgrade is available!
Dependency tree:
rustc-serialize 0.3.22

Crate:     sodiumoxide
Version:   0.0.12
Title:     scalarmult() vulnerable to degenerate public keys
Date:      2017-01-26
ID:        RUSTSEC-2017-0001
URL:       https://rustsec.org/advisories/RUSTSEC-2017-0001
Solution:  Upgrade to >=0.0.14
Dependency tree:
sodiumoxide 0.0.12

Crate:     sodiumoxide
Version:   0.0.12
Title:     generichash::Digest::eq always return true
Date:      2019-10-11
ID:        RUSTSEC-2019-0026
URL:       https://rustsec.org/advisories/RUSTSEC-2019-0026
Solution:  Upgrade to >=0.2.5

Crate:     thread_local
Version:   0.2.7
Title:     Data race in `Iter` and `IterMut`
Date:      2022-01-23
ID:        RUSTSEC-2022-0006
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution:  Upgrade to >=1.1.4
Dependency tree:
thread_local 0.2.7

Crate:     time
Version:   0.1.36
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.36

Crate:     rust-crypto
Version:   0.2.36
Warning:   unmaintained
Title:     rust-crypto is unmaintained; switch to a modern alternative
Date:      2016-09-06
ID:        RUSTSEC-2016-0005
URL:       https://rustsec.org/advisories/RUSTSEC-2016-0005

error: 7 vulnerabilities found!
warning: 1 allowed warning found