Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 864043

Summary: dev-lang/starlark-rust: 'cargo audit' reports one or more bundled CRATES as vulnerable
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2022-08-06 15:30:50 UTC 
Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (206 crate dependencies)
Crate:     beef
Version:   0.4.4
Title:     beef::Cow lacks a Sync bound on its Send trait allowing for data races
Date:      2020-10-28
ID:        RUSTSEC-2020-0122
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0122
Solution:  Upgrade to >=0.5.0
Dependency tree:
beef 0.4.4

Crate:     nix
Version:   0.19.1
Title:     Out-of-bounds write in nix::unistd::getgrouplist
Date:      2021-09-27
ID:        RUSTSEC-2021-0119
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0119
Solution:  Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
Dependency tree:
nix 0.19.1

error: 2 vulnerabilities found!
Comment 1 Larry the Git Cow gentoo-dev 2022-08-06 17:37:34 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d07da4e65b17efb452ead410648d806316d42240

commit d07da4e65b17efb452ead410648d806316d42240
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-08-06 17:36:45 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-08-06 17:37:31 +0000

    dev-lang/starlark-rust: drop 0.7.0
    
    Bug: https://bugs.gentoo.org/864043
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 dev-lang/starlark-rust/Manifest                   |  43 -----
 dev-lang/starlark-rust/starlark-rust-0.7.0.ebuild | 181 ----------------------
 2 files changed, 224 deletions(-)