Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 864016 - app-misc/broot: 'cargo audit' reports one or more bundled CRATES as vulnerable
Summary: app-misc/broot: 'cargo audit' reports one or more bundled CRATES as vulnerable
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2022-08-06 15:28 UTC by Agostino Sarubbo
Modified: 2022-09-27 13:47 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2022-08-06 15:28:49 UTC
Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (357 crate dependencies)
Crate:     chrono
Version:   0.4.19
Title:     Potential segfault in `localtime_r` invocations
Date:      2020-11-10
ID:        RUSTSEC-2020-0159
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:  Upgrade to >=0.4.20
Dependency tree:
chrono 0.4.19

Crate:     time
Version:   0.1.43
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.43

Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44

Crate:     xcb
Version:   0.10.1
Title:     Multiple soundness issues
Date:      2021-02-04
ID:        RUSTSEC-2021-0019
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0019
Solution:  Upgrade to >=1.0
Dependency tree:
xcb 0.10.1

Crate:     memmap
Version:   0.7.0
Warning:   unmaintained
Title:     memmap is unmaintained
Date:      2020-12-02
ID:        RUSTSEC-2020-0077
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0077
Dependency tree:
memmap 0.7.0

error: 4 vulnerabilities found!
warning: 1 allowed warning found
Comment 1 Karl-Johan Karlsson 2022-08-06 19:38:38 UTC
(In reply to Agostino Sarubbo from comment #0)
> Crate:     chrono
> Solution:  Upgrade to >=0.4.20

Submitted upstream as https://github.com/Canop/broot/pull/582

> Crate:     time
> Solution:  Upgrade to >=0.2.23

The correct dependency tree for this is:

time 0.1.44
└── chrono 0.4.19
    ├── glassbench 0.3.3
    │   └── broot 1.14.2
    ├── csv2svg 0.1.7
    │   └── glassbench 0.3.3
    ├── cli-log 2.0.0
    │   └── broot 1.14.2
    ├── cli-log 0.1.0
    │   └── csv2svg 0.1.7
    └── broot 1.14.2

Final upstream (chrono) claims not to be affected: https://github.com/chronotope/chrono/issues/602#issuecomment-1075915577

"I'm going to close this because in its current version, chrono does not call the vulnerable APIs in time 0.1. Since #478 the dependency on time is fairly minimal and in the next semver-compatible version we'll remove it entirely."

> Crate:     xcb
> Solution:  Upgrade to >=1.0

Submitted upstream as https://github.com/Canop/terminal-clipboard/issues/4

> Crate:     memmap
> Title:     memmap is unmaintained

Submitted upstream as https://github.com/Canop/broot/pull/583
Comment 2 Karl-Johan Karlsson 2022-09-19 08:26:59 UTC
As of app-misc/broot-1.14.3:

chrono has been bumped to 0.4.22.
Upstream claims time is not vulnerable.
memmap has been replaced with memmap2.

Of the original issues, only the xcb dependency remains. Upstream has not replied to the ticket I filed about it.

"cargo audit" now finds one new issue:

Crate:     xml-rs
Version:   0.8.4
Warning:   unmaintained
Title:     xml-rs is Unmaintained
Date:      2022-01-26
ID:        RUSTSEC-2022-0048
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0048
Dependency tree:
xml-rs 0.8.4
└── plist 1.3.1
    └── syntect-no-panic 4.6.1
        └── broot 1.14.3

plist upstream has switching from xml-rs to quick-xml in the plans for release 1.4: https://github.com/ebarnard/rust-plist/milestone/3
Comment 3 Larry the Git Cow gentoo-dev 2022-09-27 13:47:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4379d1e69773232d71c2827de8a9ba63c8381d85

commit 4379d1e69773232d71c2827de8a9ba63c8381d85
Author:     Karl-Johan Karlsson <creideiki@lysator.liu.se>
AuthorDate: 2022-09-18 11:05:55 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-09-27 13:47:15 +0000

    app-misc/broot: add 1.15.0
    
    1.15.0 (actually since 1.14.3) includes fixes for all but one of the
    issues raised in bug 864016. The outdated XCB dependency remains.
    
    Bug: https://bugs.gentoo.org/864016
    Signed-off-by: Karl-Johan Karlsson <creideiki@lysator.liu.se>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-misc/broot/Manifest            |  72 ++++++++-
 app-misc/broot/broot-1.15.0.ebuild | 311 +++++++++++++++++++++++++++++++++++++
 2 files changed, 382 insertions(+), 1 deletion(-)