Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Known vulnerability in dependency 'pnet' v 0.25.0 #2347

Closed
FlyingRatBull opened this issue Nov 27, 2020 · 5 comments · Fixed by #2348
Closed

Known vulnerability in dependency 'pnet' v 0.25.0 #2347

FlyingRatBull opened this issue Nov 27, 2020 · 5 comments · Fixed by #2348
Labels
A-dependencies Area: library dependencies. E-easy Effort: easy. A task that would be a great starting point for a new contributor.

Comments

@FlyingRatBull
Copy link

FlyingRatBull commented Nov 27, 2020
edited

I ran cargo audit on the current master and got a match for a known vulnerability in pnet 0.25.0:

ID: RUSTSEC-2019-0037
Package: pnet
Version: 0.25.0
Fixed in: not yet fixed
Title: Compiler optimisation for next_with_timeout in pnet::transport::IcmpTransportChannelIterator flaws to SEGFAULT
Description: Affected versions of this crate were optimized out by compiler, which caused dereference of uninitialized file descriptor which caused segfault.
Issue: pnet GitHub issue #449
@taiki-e
Copy link
Contributor

taiki-e commented Nov 27, 2020

Fixed in: >=0.26.0

Issue: pnet GitHub issue #449

This doesn't really seem to have been fixed yet. (libpnet/libpnet#455)

@FlyingRatBull
Copy link
Author

Fixed in: >=0.26.0

Issue: pnet GitHub issue #449

This doesn't really seem to have been fixed yet. (libpnet/libpnet#455)

Good catch, I will file an update to the security advisory database.

@seanmonstar
Copy link
Member

Thanks for the report, definitely worth getting a fix in. Good news is that its only used in hyper's unit tests, so not part of the actually library

@seanmonstar seanmonstar added A-dependencies Area: library dependencies. E-easy Effort: easy. A task that would be a great starting point for a new contributor. labels Nov 27, 2020
@mrmonday
Copy link
Contributor

Additionally, it looks like the unit tests do not use any of the code in libpnet which is affected by this vulnerability.

mrmonday added a commit to mrmonday/hyper that referenced this issue Nov 27, 2020
@mrmonday
Upgrade libpnet depedency to 0.27.2 [hyperium#2347]
9c845cd 
Additionally, only depend on pnet_datalink to reduce compile times.

Closes hyperium#2347
@mrmonday mrmonday mentioned this issue Nov 27, 2020
Merged
mrmonday added a commit to mrmonday/hyper that referenced this issue Nov 27, 2020
@mrmonday
fix: Upgrade libpnet depedency to 0.27.2 [hyperium#2347]
916b901 
Additionally, only depend on pnet_datalink to reduce compile times.

Closes hyperium#2347
mrmonday added a commit to mrmonday/hyper that referenced this issue Nov 27, 2020
@mrmonday
fix(client): Upgrade libpnet depedency to 0.27.2 [hyperium#2347]
3996826 
Additionally, only depend on pnet_datalink to reduce compile times.

Closes hyperium#2347
seanmonstar pushed a commit that referenced this issue Nov 28, 2020
@mrmonday
test(client): Upgrade libpnet depedency to 0.27.2 [#2347] (#2348)
1ba2a14 
Additionally, only depend on pnet_datalink to reduce compile times.

Closes #2347
@FlyingRatBull
Copy link
Author

FlyingRatBull commented Nov 28, 2020
edited

Thanks to the quick reply of the pnet devs, the pull request has been merged and the issue fixed in 0.27.2.

Thank you too for your quick replies!

BenxiangGe pushed a commit to BenxiangGe/hyper that referenced this issue Jul 26, 2021
@mrmonday
test(client): Upgrade libpnet depedency to 0.27.2 [hyperium#2347] (hy…
0607a22 
…perium#2348)

Additionally, only depend on pnet_datalink to reduce compile times.

Closes hyperium#2347
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-dependencies Area: library dependencies. E-easy Effort: easy. A task that would be a great starting point for a new contributor.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade libpnet depedency to 0.27.2 [#2347] mrmonday/hyper
4 participants
@seanmonstar @mrmonday @FlyingRatBull @taiki-e