From 834b93489e5ed0873bf2267bf418a3065bfecea1 Mon Sep 17 00:00:00 2001 From: Jamey Sharp Date: Mon, 1 Apr 2024 13:57:26 -0700 Subject: [PATCH] Record cargo-vet violations for older zstd versions When I tried to audit our previous exemption for zstd, I found two buffer overruns which were reachable from safe Rust, although not reachable from Wasmtime. I got them fixed upstream but didn't update our cargo-vet audits to reflect the issue with the older versions. Alex updated our dependencies to pull in the fixed versions in #7870, and this PR notes for the benefit of anyone importing the Bytecode Alliance audit set that older versions should not be used. See https://github.com/gyscos/zstd-rs/pull/231 --- supply-chain/audits.toml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 3773ed23dff..09733e404d5 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -3231,6 +3231,12 @@ No major updates to the crate here. Small updates to `unsafe` code which are refactorings of what was there prior. """ +[[audits.zstd]] +who = "Jamey Sharp " +criteria = "safe-to-deploy" +violation = "<0.13.0" +notes = "Buffer overrun fixed in https://github.com/gyscos/zstd-rs/pull/231" + [[audits.zstd-safe]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -3241,6 +3247,12 @@ Does contain new unsafe code, notably an implementation of an internal trait for the standard library `io::Cursor` type. """ +[[audits.zstd-safe]] +who = "Jamey Sharp " +criteria = "safe-to-deploy" +violation = "<7.0.0" +notes = "Buffer overrun fixed in https://github.com/gyscos/zstd-rs/pull/231" + [[trusted.aho-corasick]] criteria = "safe-to-deploy" user-id = 189 # Andrew Gallant (BurntSushi)