Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 864043 - dev-lang/starlark-rust: 'cargo audit' reports one or more bundled CRATES as vulnerable
Summary: dev-lang/starlark-rust: 'cargo audit' reports one or more bundled CRATES as v...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Depends on:
Reported: 2022-08-06 15:30 UTC by Agostino Sarubbo
Modified: 2022-08-06 17:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2022-08-06 15:30:50 UTC
Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (206 crate dependencies)
Crate:     beef
Version:   0.4.4
Title:     beef::Cow lacks a Sync bound on its Send trait allowing for data races
Date:      2020-10-28
ID:        RUSTSEC-2020-0122
Solution:  Upgrade to >=0.5.0
Dependency tree:
beef 0.4.4

Crate:     nix
Version:   0.19.1
Title:     Out-of-bounds write in nix::unistd::getgrouplist
Date:      2021-09-27
ID:        RUSTSEC-2021-0119
Solution:  Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
Dependency tree:
nix 0.19.1

error: 2 vulnerabilities found!
Comment 1 Larry the Git Cow gentoo-dev 2022-08-06 17:37:34 UTC
The bug has been referenced in the following commit(s):

commit d07da4e65b17efb452ead410648d806316d42240
Author:     Zac Medico <>
AuthorDate: 2022-08-06 17:36:45 +0000
Commit:     Zac Medico <>
CommitDate: 2022-08-06 17:37:31 +0000

    dev-lang/starlark-rust: drop 0.7.0
    Signed-off-by: Zac Medico <>

 dev-lang/starlark-rust/Manifest                   |  43 -----
 dev-lang/starlark-rust/starlark-rust-0.7.0.ebuild | 181 ----------------------
 2 files changed, 224 deletions(-)