Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 864076

Summary: dev-util/wachy: 'cargo audit' reports one or more bundled CRATES as vulnerable
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: chutzpah
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2022-08-06 15:34:18 UTC 
Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (92 crate dependencies)
Crate:     chrono
Version:   0.4.19
Title:     Potential segfault in `localtime_r` invocations
Date:      2020-11-10
ID:        RUSTSEC-2020-0159
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:  Upgrade to >=0.4.20
Dependency tree:
chrono 0.4.19

Crate:     ncurses
Version:   5.101.0
Title:     Buffer overflow and format vulnerabilities in functions exposed without unsafe
Date:      2019-06-15
ID:        RUSTSEC-2019-0006
URL:       https://rustsec.org/advisories/RUSTSEC-2019-0006
Solution:  No fixed upgrade is available!
Dependency tree:
ncurses 5.101.0

Crate:     owning_ref
Version:   0.4.1
Title:     Multiple soundness issues in `owning_ref`
Date:      2022-01-26
ID:        RUSTSEC-2022-0040
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0040
Solution:  No fixed upgrade is available!
Dependency tree:
owning_ref 0.4.1

Crate:     thread_local
Version:   1.1.3
Title:     Data race in `Iter` and `IterMut`
Date:      2022-01-23
ID:        RUSTSEC-2022-0006
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution:  Upgrade to >=1.1.4
Dependency tree:
thread_local 1.1.3

Crate:     time
Version:   0.1.43
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.43

Crate:     term_size
Version:   0.3.2
Warning:   unmaintained
Title:     `term_size` is unmaintained; use `terminal_size` instead
Date:      2020-11-03
ID:        RUSTSEC-2020-0163
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0163
Dependency tree:
term_size 0.3.2

error: 5 vulnerabilities found!
warning: 1 allowed warning found