Dear maintainer(s), 'cargo audit' reports one or more bundled CRATES as vulnerable. To reproduce please install dev-util/cargo-audit and run: cargo audit --file Cargo.lock where Cargo.lock is generated during the build of this package. For simplicity, I'm attaching here the content of 'cargo audit' here: Loaded 433 security advisories (from /tmp/advisory-db) Scanning Cargo.lock for vulnerabilities (357 crate dependencies) Crate: chrono Version: 0.4.19 Title: Potential segfault in `localtime_r` invocations Date: 2020-11-10 ID: RUSTSEC-2020-0159 URL: https://rustsec.org/advisories/RUSTSEC-2020-0159 Solution: Upgrade to >=0.4.20 Dependency tree: chrono 0.4.19 Crate: time Version: 0.1.43 Title: Potential segfault in the time crate Date: 2020-11-18 ID: RUSTSEC-2020-0071 URL: https://rustsec.org/advisories/RUSTSEC-2020-0071 Solution: Upgrade to >=0.2.23 Dependency tree: time 0.1.43 Crate: time Version: 0.1.44 Title: Potential segfault in the time crate Date: 2020-11-18 ID: RUSTSEC-2020-0071 URL: https://rustsec.org/advisories/RUSTSEC-2020-0071 Solution: Upgrade to >=0.2.23 Dependency tree: time 0.1.44 Crate: xcb Version: 0.10.1 Title: Multiple soundness issues Date: 2021-02-04 ID: RUSTSEC-2021-0019 URL: https://rustsec.org/advisories/RUSTSEC-2021-0019 Solution: Upgrade to >=1.0 Dependency tree: xcb 0.10.1 Crate: memmap Version: 0.7.0 Warning: unmaintained Title: memmap is unmaintained Date: 2020-12-02 ID: RUSTSEC-2020-0077 URL: https://rustsec.org/advisories/RUSTSEC-2020-0077 Dependency tree: memmap 0.7.0 error: 4 vulnerabilities found! warning: 1 allowed warning found
(In reply to Agostino Sarubbo from comment #0) > Crate: chrono > Solution: Upgrade to >=0.4.20 Submitted upstream as https://github.com/Canop/broot/pull/582 > Crate: time > Solution: Upgrade to >=0.2.23 The correct dependency tree for this is: time 0.1.44 └── chrono 0.4.19 ├── glassbench 0.3.3 │ └── broot 1.14.2 ├── csv2svg 0.1.7 │ └── glassbench 0.3.3 ├── cli-log 2.0.0 │ └── broot 1.14.2 ├── cli-log 0.1.0 │ └── csv2svg 0.1.7 └── broot 1.14.2 Final upstream (chrono) claims not to be affected: https://github.com/chronotope/chrono/issues/602#issuecomment-1075915577 "I'm going to close this because in its current version, chrono does not call the vulnerable APIs in time 0.1. Since #478 the dependency on time is fairly minimal and in the next semver-compatible version we'll remove it entirely." > Crate: xcb > Solution: Upgrade to >=1.0 Submitted upstream as https://github.com/Canop/terminal-clipboard/issues/4 > Crate: memmap > Title: memmap is unmaintained Submitted upstream as https://github.com/Canop/broot/pull/583
As of app-misc/broot-1.14.3: chrono has been bumped to 0.4.22. Upstream claims time is not vulnerable. memmap has been replaced with memmap2. Of the original issues, only the xcb dependency remains. Upstream has not replied to the ticket I filed about it. "cargo audit" now finds one new issue: Crate: xml-rs Version: 0.8.4 Warning: unmaintained Title: xml-rs is Unmaintained Date: 2022-01-26 ID: RUSTSEC-2022-0048 URL: https://rustsec.org/advisories/RUSTSEC-2022-0048 Dependency tree: xml-rs 0.8.4 └── plist 1.3.1 └── syntect-no-panic 4.6.1 └── broot 1.14.3 plist upstream has switching from xml-rs to quick-xml in the plans for release 1.4: https://github.com/ebarnard/rust-plist/milestone/3
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4379d1e69773232d71c2827de8a9ba63c8381d85 commit 4379d1e69773232d71c2827de8a9ba63c8381d85 Author: Karl-Johan Karlsson <creideiki@lysator.liu.se> AuthorDate: 2022-09-18 11:05:55 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2022-09-27 13:47:15 +0000 app-misc/broot: add 1.15.0 1.15.0 (actually since 1.14.3) includes fixes for all but one of the issues raised in bug 864016. The outdated XCB dependency remains. Bug: https://bugs.gentoo.org/864016 Signed-off-by: Karl-Johan Karlsson <creideiki@lysator.liu.se> Signed-off-by: Joonas Niilola <juippis@gentoo.org> app-misc/broot/Manifest | 72 ++++++++- app-misc/broot/broot-1.15.0.ebuild | 311 +++++++++++++++++++++++++++++++++++++ 2 files changed, 382 insertions(+), 1 deletion(-)
I just filed a pull request for version 1.28.1: https://github.com/gentoo/gentoo/pull/33794 That version fixes all outstanding issues from this bug. "cargo audit" now reports one vulnerability: Crate: libsqlite3-sys Version: 0.20.1 Title: `libsqlite3-sys` via C SQLite CVE-2022-35737 Date: 2022-08-03 ID: RUSTSEC-2022-0090 URL: https://rustsec.org/advisories/RUSTSEC-2022-0090 Severity: 7.5 (high) Solution: Upgrade to >=0.25.1 Dependency tree: libsqlite3-sys 0.20.1 └── rusqlite 0.24.2 └── glassbench 0.3.6 └── broot 1.28.1 However, this does not apply for several reasons: 1) The bug is in SQLite's replacement printf() functions ( https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/ ) SQLite upstream says: "The bug cannot be reached using SQL nor can it be reached by providing SQLite with a corrupt database file." ( https://www.sqlite.org/cves.html ) The Rust code ( https://github.com/Canop/glassbench/blob/main/src/db.rs ) does not call these functions. 2) Broot itself does not use rusqlite and cannot open SQLite databases. Only Glassbench, which is a benchmarking library, uses rusqlite, to store its own results, which only happens if it is run during development of Broot.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4593b47648140970548096c8f2194bcbb5782087 commit 4593b47648140970548096c8f2194bcbb5782087 Author: Karl-Johan Karlsson <creideiki@lysator.liu.se> AuthorDate: 2023-11-13 18:05:24 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-11-22 17:32:25 +0000 app-misc/broot: add 1.29.0 1.28.1 fixed all outstanding issues in bug 864016. Bug: https://bugs.gentoo.org/864016 Signed-off-by: Karl-Johan Karlsson <creideiki@lysator.liu.se> Closes: https://github.com/gentoo/gentoo/pull/33794 Signed-off-by: Sam James <sam@gentoo.org> app-misc/broot/Manifest | 158 ++++++++++++++++ app-misc/broot/broot-1.29.0.ebuild | 363 +++++++++++++++++++++++++++++++++++++ 2 files changed, 521 insertions(+)
Thanks! Without clear exploitability, we'll treat this as B4, and no GLSA. All done!