Summary: | app-misc/rpick: 'cargo audit' reports one or more bundled CRATES as vulnerable | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | proxy-maint, randy |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2022-08-06 15:29:00 UTC
As noted in https://github.com/Stebalien/term/issues/93, term isn't unmaintained, it just isn't getting new features anymore. Note also that https://rustsec.org/advisories/RUSTSEC-2018-0015 says that >0.6.1 is "unaffected" (which is weird to me, how can something be unmaintained but also be unaffected with a newer version at the same time?). rpick-0.8.13 is currently in testing and has term-0.7.0. So we could consider this "fixed" by that version of rpick, but I would argue that there is no vulnerability here to begin with since the crate is not truly unmaintained. As for regex, it is only used for tests as you can see here: https://github.com/bowlofeggs/rpick/blob/0.8.13/Cargo.toml. Also, both in-tree versions of rpick use a version of regex that is fixed. Since I believe term isn't truly vulnerable, and since regex is only used for tests (and both versions of rpick in tree currently have the fix), I suggest we mark this ticket as fixed. I don't actually have the permissions to set the status on this ticket, so someone else will need to do that if they agree with my assessment here. (In reply to Randy Barlow from comment #1) > As noted in https://github.com/Stebalien/term/issues/93, term isn't > unmaintained, it just isn't getting new features anymore. Note also that > https://rustsec.org/advisories/RUSTSEC-2018-0015 says that >0.6.1 is > "unaffected" (which is weird to me, how can something be unmaintained but > also be unaffected with a newer version at the same time?). rpick-0.8.13 is > currently in testing and has term-0.7.0. So we could consider this "fixed" > by that version of rpick, but I would argue that there is no vulnerability > here to begin with since the crate is not truly unmaintained. > > As for regex, it is only used for tests as you can see here: > https://github.com/bowlofeggs/rpick/blob/0.8.13/Cargo.toml. Also, both > in-tree versions of rpick use a version of regex that is fixed. > > Since I believe term isn't truly vulnerable, and since regex is only used > for tests (and both versions of rpick in tree currently have the fix), I > suggest we mark this ticket as fixed. > > I don't actually have the permissions to set the status on this ticket, so > someone else will need to do that if they agree with my assessment here. Plausible reason to presume a borderline spam bug report is fixed? Sure! |