Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Separately update zbus to 1.9.2 to fix cargo audit issue #59

Merged
merged 1 commit into from
Oct 12, 2021

Conversation

rnestler
Copy link
Owner

@rnestler rnestler commented Oct 12, 2021

This was done using cargo update zbus --precise=1.9.2, since cargo update did only update to 1.9.1.

Also note that now runing cargo update will downgrade zbus again to 1.9.1:

% cargo update
Updating crates.io index
Updating bitflags v1.2.1 -> v1.3.2
  Adding cfg-if v0.1.10
Removing memoffset v0.6.4
Updating nix v0.20.2 -> v0.17.0
  Adding void v1.0.2
Updating zbus v1.9.2 -> v1.9.1
Updating zbus_macros v1.9.2 -> v1.9.1

See also the following cargo issues:

The reason for this is that cargo audit complained about a vulnerability (https://github.com/rnestler/reboot-arch-btw/runs/3869525660):

Run cargo audit
   Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
     Loaded 367 security advisories (from /github/home/.cargo/advisory-db)
   Updating crates.io index
   Scanning Cargo.lock for vulnerabilities (116 crate dependencies)
error: 1 vulnerability found!
Crate:         nix
Version:       0.17.0
Title:         Out-of-bounds write in nix::unistd::getgrouplist
Date:          2021-09-27
ID:            RUSTSEC-2021-0119
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0119
Solution:      Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
Dependency tree: 
nix 0.17.0
└── zbus 1.9.1
   └── notify-rust 4.5.4
       └── reboot-arch-btw 0.3.2

This was done using `cargo update zbus --precise=1.9.2`, since `cargo
update` did only update to 1.9.1.

Also note that now runing `cargo update` will *downgrade* zbus again to 1.9.1:

    % cargo update
	Updating crates.io index
	Updating bitflags v1.2.1 -> v1.3.2
	  Adding cfg-if v0.1.10
	Removing memoffset v0.6.4
	Updating nix v0.20.2 -> v0.17.0
	  Adding void v1.0.2
	Updating zbus v1.9.2 -> v1.9.1
	Updating zbus_macros v1.9.2 -> v1.9.1

See also the following cargo issues:
 * rust-lang/cargo#7671
 * rust-lang/cargo#5702
@rnestler rnestler merged commit 3107e89 into master Oct 12, 2021
@rnestler rnestler deleted the fix-cargo-audit branch October 12, 2021 12:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant