Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 864016 - <app-misc/broot-1.29.0: 'cargo audit' reports one or more bundled CRATES as vulnerable
Summary: <app-misc/broot-1.29.0: 'cargo audit' reports one or more bundled CRATES as v...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2022-08-06 15:28 UTC by Agostino Sarubbo
Modified: 2023-11-22 19:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2022-08-06 15:28:49 UTC 
Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (357 crate dependencies)
Crate:     chrono
Version:   0.4.19
Title:     Potential segfault in `localtime_r` invocations
Date:      2020-11-10
ID:        RUSTSEC-2020-0159
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:  Upgrade to >=0.4.20
Dependency tree:
chrono 0.4.19

Crate:     time
Version:   0.1.43
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.43

Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44

Crate:     xcb
Version:   0.10.1
Title:     Multiple soundness issues
Date:      2021-02-04
ID:        RUSTSEC-2021-0019
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0019
Solution:  Upgrade to >=1.0
Dependency tree:
xcb 0.10.1

Crate:     memmap
Version:   0.7.0
Warning:   unmaintained
Title:     memmap is unmaintained
Date:      2020-12-02
ID:        RUSTSEC-2020-0077
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0077
Dependency tree:
memmap 0.7.0

error: 4 vulnerabilities found!
warning: 1 allowed warning found
Comment 1 Karl-Johan Karlsson 2022-08-06 19:38:38 UTC 
(In reply to Agostino Sarubbo from comment #0)
> Crate:     chrono
> Solution:  Upgrade to >=0.4.20

Submitted upstream as https://github.com/Canop/broot/pull/582

> Crate:     time
> Solution:  Upgrade to >=0.2.23

The correct dependency tree for this is:

time 0.1.44
└── chrono 0.4.19
    ├── glassbench 0.3.3
    │   └── broot 1.14.2
    ├── csv2svg 0.1.7
    │   └── glassbench 0.3.3
    ├── cli-log 2.0.0
    │   └── broot 1.14.2
    ├── cli-log 0.1.0
    │   └── csv2svg 0.1.7
    └── broot 1.14.2

Final upstream (chrono) claims not to be affected: https://github.com/chronotope/chrono/issues/602#issuecomment-1075915577

"I'm going to close this because in its current version, chrono does not call the vulnerable APIs in time 0.1. Since #478 the dependency on time is fairly minimal and in the next semver-compatible version we'll remove it entirely."

> Crate:     xcb
> Solution:  Upgrade to >=1.0

Submitted upstream as https://github.com/Canop/terminal-clipboard/issues/4

> Crate:     memmap
> Title:     memmap is unmaintained

Submitted upstream as https://github.com/Canop/broot/pull/583
Comment 2 Karl-Johan Karlsson 2022-09-19 08:26:59 UTC 
As of app-misc/broot-1.14.3:

chrono has been bumped to 0.4.22.
Upstream claims time is not vulnerable.
memmap has been replaced with memmap2.

Of the original issues, only the xcb dependency remains. Upstream has not replied to the ticket I filed about it.

"cargo audit" now finds one new issue:

Crate:     xml-rs
Version:   0.8.4
Warning:   unmaintained
Title:     xml-rs is Unmaintained
Date:      2022-01-26
ID:        RUSTSEC-2022-0048
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0048
Dependency tree:
xml-rs 0.8.4
└── plist 1.3.1
    └── syntect-no-panic 4.6.1
        └── broot 1.14.3

plist upstream has switching from xml-rs to quick-xml in the plans for release 1.4: https://github.com/ebarnard/rust-plist/milestone/3
Comment 3 Larry the Git Cow gentoo-dev 2022-09-27 13:47:18 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4379d1e69773232d71c2827de8a9ba63c8381d85

commit 4379d1e69773232d71c2827de8a9ba63c8381d85
Author:     Karl-Johan Karlsson <creideiki@lysator.liu.se>
AuthorDate: 2022-09-18 11:05:55 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-09-27 13:47:15 +0000

    app-misc/broot: add 1.15.0
    
    1.15.0 (actually since 1.14.3) includes fixes for all but one of the
    issues raised in bug 864016. The outdated XCB dependency remains.
    
    Bug: https://bugs.gentoo.org/864016
    Signed-off-by: Karl-Johan Karlsson <creideiki@lysator.liu.se>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-misc/broot/Manifest            |  72 ++++++++-
 app-misc/broot/broot-1.15.0.ebuild | 311 +++++++++++++++++++++++++++++++++++++
 2 files changed, 382 insertions(+), 1 deletion(-)
Comment 4 Karl-Johan Karlsson 2023-11-13 18:28:47 UTC 
I just filed a pull request for version 1.28.1: https://github.com/gentoo/gentoo/pull/33794

That version fixes all outstanding issues from this bug.

"cargo audit" now reports one vulnerability:

Crate:     libsqlite3-sys
Version:   0.20.1
Title:     `libsqlite3-sys` via C SQLite CVE-2022-35737
Date:      2022-08-03
ID:        RUSTSEC-2022-0090
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0090
Severity:  7.5 (high)
Solution:  Upgrade to >=0.25.1
Dependency tree:
libsqlite3-sys 0.20.1
└── rusqlite 0.24.2
    └── glassbench 0.3.6
        └── broot 1.28.1

However, this does not apply for several reasons:

1) The bug is in SQLite's replacement printf() functions ( https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/ )

SQLite upstream says: "The bug cannot be reached using SQL nor can it be reached by providing SQLite with a corrupt database file." ( https://www.sqlite.org/cves.html )

The Rust code ( https://github.com/Canop/glassbench/blob/main/src/db.rs ) does not call these functions.

2) Broot itself does not use rusqlite and cannot open SQLite databases. Only Glassbench, which is a benchmarking library, uses rusqlite, to store its own results, which only happens if it is run during development of Broot.
Comment 5 Larry the Git Cow gentoo-dev 2023-11-22 17:44:07 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4593b47648140970548096c8f2194bcbb5782087

commit 4593b47648140970548096c8f2194bcbb5782087
Author:     Karl-Johan Karlsson <creideiki@lysator.liu.se>
AuthorDate: 2023-11-13 18:05:24 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-11-22 17:32:25 +0000

    app-misc/broot: add 1.29.0
    
    1.28.1 fixed all outstanding issues in bug 864016.
    
    Bug: https://bugs.gentoo.org/864016
    Signed-off-by: Karl-Johan Karlsson <creideiki@lysator.liu.se>
    Closes: https://github.com/gentoo/gentoo/pull/33794
    Signed-off-by: Sam James <sam@gentoo.org>

 app-misc/broot/Manifest            | 158 ++++++++++++++++
 app-misc/broot/broot-1.29.0.ebuild | 363 +++++++++++++++++++++++++++++++++++++
 2 files changed, 521 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-22 19:31:44 UTC 
Thanks! Without clear exploitability, we'll treat this as B4, and no GLSA. All done!