Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 864049 - <dev-python/cryptography-41.0.1: 'cargo audit' reports one or more bundled CRATES as vulnerable
Summary: <dev-python/cryptography-41.0.1: 'cargo audit' reports one or more bundled CR...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C4 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-06 15:31 UTC by Agostino Sarubbo
Modified: 2024-07-01 06:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2022-08-06 15:31:53 UTC
Dear maintainer(s),
'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.

For simplicity, I'm attaching here the content of 'cargo audit' here:

      Loaded 433 security advisories (from /tmp/advisory-db)
    Scanning Cargo.lock for vulnerabilities (45 crate dependencies)
Crate:     chrono
Version:   0.4.19
Title:     Potential segfault in `localtime_r` invocations
Date:      2020-11-10
ID:        RUSTSEC-2020-0159
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:  Upgrade to >=0.4.20
Dependency tree:
chrono 0.4.19

error: 1 vulnerability found!
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-06 21:45:13 UTC
The vulnerabilities seems to have been fixed now:

sol /var/tmp/portage/dev-python/cryptography-41.0.7/work/cryptography-41.0.7 # cargo audit --file ./src/rust/Cargo.lock
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 585 security advisories (from /root/.cargo/advisory-db)
    Updating crates.io index
    Scanning ./src/rust/Cargo.lock for vulnerabilities (58 crate dependencies)
Crate:     ouroboros
Version:   0.15.6
Warning:   unsound
Title:     Ouroboros is Unsound
Date:      2023-06-11
ID:        RUSTSEC-2023-0042
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0042
Dependency tree:
ouroboros 0.15.6
└── cryptography-rust 0.1.0

warning: 1 allowed warning found

Seems like it was fixed in this commit, which is in 41.0.0:

commit eeca346f23d2595864ec3cff86d562974cff480a
Author: Paul Kehrer <paul.l.kehrer@gmail.com>
Date:   Tue Apr 4 20:04:55 2023 +0900

    upgrade rust-asn1, which removes chrono dep (#8664)

    * use new rust-asn1 non-chrono path

    * bump asn1

    * oh yeah, remove that
Comment 2 Larry the Git Cow gentoo-dev 2024-07-01 06:10:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c64e048a91b0aa0d481f453db2b0de77a5123fc4

commit c64e048a91b0aa0d481f453db2b0de77a5123fc4
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-07-01 05:59:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-07-01 06:09:25 +0000

    [ GLSA 202407-06 ] cryptography: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/769419
    Bug: https://bugs.gentoo.org/864049
    Bug: https://bugs.gentoo.org/893576
    Bug: https://bugs.gentoo.org/918685
    Bug: https://bugs.gentoo.org/925120
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202407-06.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)