Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem: cargo audit fails #20

Open
devashishdxt opened this issue Jul 29, 2021 · 5 comments
Open

Problem: cargo audit fails #20

devashishdxt opened this issue Jul 29, 2021 · 5 comments
Assignees
@devashishdxt

Comments

@devashishdxt
Copy link
Collaborator

devashishdxt commented Jul 29, 2021
edited

Vulnerabilities

RUSTSEC-2021-0076

libsecp256k1 allows overflowing signatures

Details
Package libsecp256k1
Version 0.3.5
URL paritytech/libsecp256k1#67
Date 2021-07-13
Patched versions >=0.5.0

libsecp256k1 accepts signatures whose R or S parameter is larger than the
secp256k1 curve order, which differs from other implementations. This could
lead to invalid signatures being verified.

The error is resolved in 0.5.0 by adding a check_overflow flag.

RUSTSEC-2021-0073

Conversion from prost_types::Timestamp to SystemTime can cause an overflow and panic

Details
Package prost-types
Version 0.7.0~
URL tokio-rs/prost#438
Date 2021-07-08
Patched versions >=0.8.0

Affected versions of this crate contained a bug in which untrusted input could cause an overflow and panic when converting a Timestamp to SystemTime.

It is recommended to upgrade to prost-types v0.8 and switch the usage of From<Timestamp> for SystemTime to TryFrom<Timestamp> for SystemTime.

See #438 for more information.

RUSTSEC-2020-0159

Potential segfault in localtime_r invocations

Details
Package chrono
Version 0.4.19
URL chronotope/chrono#499
Date 2020-11-10

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

No workarounds are known.
@devashishdxt
Copy link
Collaborator Author

Created a PR to upgrade dependencies of tiny-hderive: maciejhirsz/tiny-hderive#7

@devashishdxt devashishdxt self-assigned this Jul 29, 2021
@tomtau
Copy link
Contributor

tomtau commented Jul 29, 2021

what about using https://crates.io/crates/bip32 instead of tiny-hderive?

@devashishdxt
Copy link
Collaborator Author

what about using https://crates.io/crates/bip32 instead of tiny-hderive?

Created a PR for this: #22.

@devashishdxt
Copy link
Collaborator Author

Regression in v0.8.0 of prost: tokio-rs/prost#502 and tokio-rs/prost#507

@devashishdxt devashishdxt mentioned this issue Oct 29, 2021
Merged
@devashishdxt
Copy link
Collaborator Author

Potential segfault in chrono crate: chronotope/chrono#499

@devashishdxt devashishdxt mentioned this issue May 11, 2022
Merged
@tomtau tomtau assigned devashishdxt and unassigned devashishdxt Jun 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@devashishdxt devashishdxt

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tomtau @devashishdxt