Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cargo audit alert for smallvec 1.6.0 #274

Closed
smhmayboudi opened this issue Jan 20, 2021 · 5 comments · Fixed by #276
Closed

cargo audit alert for smallvec 1.6.0 #274

smhmayboudi opened this issue Jan 20, 2021 · 5 comments · Fixed by #276

Comments

@smhmayboudi
Copy link

Hi, would you please check cargo audit. I receive a message regarding one of parking_lot_core deps. and it would be nice to put the cargo audit in your build pipeline.

Crate:         smallvec
Version:       1.6.0
Title:         Buffer overflow in SmallVec::insert_many
Date:          2021-01-08
ID:            RUSTSEC-2021-0003
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0003
Solution:      Upgrade to >=0.6.14, <1.0.0 OR >=1.6.1
@bjorn3
Copy link
Contributor

bjorn3 commented Jan 20, 2021

1.6.1 is semvee compatible with 1.6.0, so you only need to do cargo update -p smallvec on your project to use a version of smallvec that has fixed this issue.

@smhmayboudi
Copy link
Author

Thanks, I tried but it did not work out. FYI, I am using cargo vendor.

@FintanH
Copy link
Contributor

FintanH commented Jan 27, 2021

I came across this as well. Here are the relevant links:

Would it be acceptable to have a PR with smallvec set to 1.6, since 1.0 doesn't contain the fix?

@Amanieu
Copy link
Owner

Amanieu commented Jan 27, 2021

Sure.

@FintanH FintanH mentioned this issue Jan 27, 2021
Merged
@FintanH
Copy link
Contributor

FintanH commented Jan 27, 2021

Awesome :) I took the initiative and submitted it 👍

FintanH added a commit to radicle-dev/radicle-link that referenced this issue Jan 27, 2021
@FintanH
Use smallvec 1.6.1
fd6b16e 
We force the smallvec dependency to be 1.6.1 due to the vulnerability
outlined in the issue here
Amanieu/parking_lot#274. We depend on governor
which in turn depends on parking_lot.

Signed-off-by: Fintan Halpenny <fintan.halpenny@gmail.com>
@FintanH FintanH mentioned this issue Jan 27, 2021
Closed
FintanH added a commit to radicle-dev/radicle-link that referenced this issue Jan 28, 2021
@FintanH
Fix smallvec vulnerability
41c216b 
We force the smallvec dependency to be >=1.6.1 due to the vulnerability
outlined in the issue here Amanieu/parking_lot#274.  We depend on
governor which in turn depends on parking_lot.

Also updating the field db-url to db-urls, and outputting the version of
cargo deny for inspection sake.

Signed-off-by: Fintan Halpenny <fintan.halpenny@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update smallvec to 1.6 FintanH/parking_lot
4 participants
@Amanieu @smhmayboudi @FintanH @bjorn3