Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 864025 - app-misc/weggli: 'cargo audit' reports one or more bundled CRATES as vulnerable
Summary: app-misc/weggli: 'cargo audit' reports one or more bundled CRATES as vulnerable
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: ~? [upstream]
Depends on:
Reported: 2022-08-06 15:29 UTC by Agostino Sarubbo
Modified: 2022-08-12 18:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2022-08-06 15:29:27 UTC
Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (113 crate dependencies)
Crate:     chrono
Version:   0.4.19
Title:     Potential segfault in `localtime_r` invocations
Date:      2020-11-10
ID:        RUSTSEC-2020-0159
Solution:  Upgrade to >=0.4.20
Dependency tree:
chrono 0.4.19

Crate:     nix
Version:   0.17.0
Title:     Out-of-bounds write in nix::unistd::getgrouplist
Date:      2021-09-27
ID:        RUSTSEC-2021-0119
Solution:  Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
Dependency tree:
nix 0.17.0

Crate:     regex
Version:   1.5.4
Title:     Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date:      2022-03-08
ID:        RUSTSEC-2022-0013
Solution:  Upgrade to >=1.5.5
Dependency tree:
regex 1.5.4

Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44

Crate:     difference
Version:   2.0.0
Warning:   unmaintained
Title:     difference is unmaintained
Date:      2020-12-20
ID:        RUSTSEC-2020-0095
Dependency tree:
difference 2.0.0

Crate:     serde_cbor
Version:   0.11.2
Warning:   unmaintained
Title:     serde_cbor is unmaintained
Date:      2021-08-15
ID:        RUSTSEC-2021-0127
Dependency tree:
serde_cbor 0.11.2

error: 4 vulnerabilities found!
warning: 2 allowed warnings found
Comment 1 Matthew Smith gentoo-dev 2022-08-12 18:02:18 UTC
weggli-0.2.4 still has the vulnerable crates in its lockfile.

Unsure how impactful these vulnerabilities as they are used in this package, but I will try and find the time to update them and send a patch upstream. (I imagine that chrono-0.4.19 -> chrono-0.4.20 will be trivial, while nix-0.17.0->nix-0.24.2 will require changes.)