Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cargo audit finding in cert-renewal #481

Closed
JanZachmann opened this issue Nov 8, 2022 · 1 comment
Closed

cargo audit finding in cert-renewal #481

JanZachmann opened this issue Nov 8, 2022 · 1 comment

Comments

@JanZachmann
Copy link

JanZachmann commented Nov 8, 2022
edited

Hi everybody

Running cargo audit points out the following vulnerability:

Crate:         time
Version:       0.1.44
Title:         Potential segfault in the time crate
Date:          2020-11-18
ID:            RUSTSEC-2020-0071
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:      Upgrade to >=0.2.23
Dependency tree: 
time 0.1.44

which is introduced here:

iot-identity-service/cert/cert-renewal/Cargo.toml

Line 9 in bc310c7

chrono = "0.4"

A PR fixing the issue can be found here: #482
JanZachmann added a commit to JanZachmann/iot-identity-service that referenced this issue Nov 8, 2022
@JanZachmann
fixed Azure#481 by replacing chrono 0.4 with time 0.3
2a0b07f
@arsing
Copy link
Member

arsing commented Nov 8, 2022
edited

That CVE has been discussed to death already. The tl;dr is:

  1. chrono does not use the code path in time 0.1 that triggers the error. ( The call to localtime_r may be unsound chronotope/chrono#499 (comment) )

  2. chrono independently has the same bug as the one in time 0.1, which is a different CVE. (CVE-2020-26235 advisory for time 0.1 dependency chronotope/chrono#602 (comment) / https://rustsec.org/advisories/RUSTSEC-2020-0159.html)

  3. The CVE in (2) is only encountered when using chrono's local time API, not when using its UTC time API. Also even then it only happens when using the local time API while some other part of the process is modifying env vars.

And, since we only use chrono's UTC time API, there is no code path in i-i-s that is affected.

@arsing arsing mentioned this issue Nov 8, 2022
Closed
Narsil added a commit to huggingface/tokenizers that referenced this issue Nov 9, 2022
@Narsil
Ignoring specific CVE which can be ignored
5ee582b 
Azure/iot-identity-service#481
Narsil added a commit to huggingface/tokenizers that referenced this issue Nov 9, 2022
@Narsil
Adding rust audit. (#1099)
bbae829 
* Adding rust audit.

* Update clap version + derive_builder (they clashed).

* Ignoring specific CVE which can be ignored

Azure/iot-identity-service#481

* Updating python lock.

* Revert `derive-builder` update.

* Adding back help msg.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arsing @JanZachmann