Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tokio v0.1.22 uses vulnerable crates #1345

Closed
yaa110 opened this issue Jul 23, 2019 · 8 comments
Closed

tokio v0.1.22 uses vulnerable crates #1345

yaa110 opened this issue Jul 23, 2019 · 8 comments

Comments

@yaa110
Copy link

yaa110 commented Jul 23, 2019
edited
Loading

Version

  • 0.1.22

Platform

Linux username 5.2.1-arch1-1-ARCH #1 SMP PREEMPT Sun Jul 14 14:52:52 UTC 2019 x86_64 GNU/Linux

Subcrates

  • tokio-threadpool > crossbeam-deque > crossbeam-epoch > memoffset
tokio v0.1.22
    ├── tokio-threadpool v0.1.15
    │   ├── crossbeam-deque v0.7.1
    │   │   ├── crossbeam-epoch v0.7.1
    │   │   │   ├── memoffset v0.2.1

Description

Please run cargo audit:

Fetching advisory database from `https://github.com/RustSec/advisory-db.git` 
Loaded 33 security advisories (from /usr/local/cargo/advisory-db)
Scanning Cargo.lock for vulnerabilities (178 crate dependencies)
error: Vulnerable crates found!

ID:	 RUSTSEC-2019-0011
Crate:	 memoffset
Version: 0.2.1
Date:	 2019-07-16
URL:	 https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505461490
Title:	 Flaw in offset_of and span_of causes SIGILL, drops uninitialized memory of arbitrary type on panic in client code
Solution: upgrade to: >= 0.5.0

error: 1 vulnerability found!
@dekellum
Copy link
Contributor

See crossbeam-rs/crossbeam#395, crossbeam-rs/crossbeam#402 and pending crossbeam-epoch release in crossbeam-rs/crossbeam#401.

@carllerche
Copy link
Member

@yaa110 what action do you expect to be taken based on this issue?

@yaa110
Copy link
Author

yaa110 commented Jul 23, 2019
edited
Loading

@carllerche
updating dependencies to address the security bug

@carllerche
Copy link
Member

@yaa110 updating dependencies is transparent to end users once it is released.

@dekellum
Copy link
Contributor

I'm enquiring if this will be released as crossbeam-epoch-0.7.2 (transparent PATCH update for tokio users) or 0.8.0 (MINOR releases). If its only the later, then tokio will require version bumps. FWIW, I have some other changes I'd like to backport here to v0.1.x, and my proposal for that is now awaiting an answer regarding crossbeam.

@gakonst gakonst mentioned this issue Jul 24, 2019
Merged
@LucioFranco
Copy link
Member

@dekellum what items are you looking to backport? I think it may be a good idea to give 0.1 a bump anyways.

@dekellum dekellum mentioned this issue Jul 24, 2019
Closed
@dekellum
Copy link
Contributor

crossbeam-epoch-0.7.2 was just released with memoffset 0.5. dep, so tokio users get this fix with a cargo update, transparently.

@boundless-forest boundless-forest mentioned this issue Jul 29, 2019
Merged
@carllerche
Copy link
Member

@dekellum Thanks for following up 👍 closing this now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@carllerche @dekellum @yaa110 @LucioFranco