Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2021-0073: Conversion from prost_types::Timestamp to SystemTime can cause an overflow and panic #302

Closed
github-actions bot opened this issue Jul 9, 2021 · 2 comments
Closed

RUSTSEC-2021-0073: Conversion from prost_types::Timestamp to SystemTime can cause an overflow and panic #302

github-actions bot opened this issue Jul 9, 2021 · 2 comments
Assignees
@cycraig
Labels
Dependencies Issues related to an update of a dependency file

Comments

@github-actions
Copy link
Contributor

github-actions bot commented Jul 9, 2021

Conversion from prost_types::Timestamp to SystemTime can cause an overflow and panic

Details
Package prost-types
Version 0.7.0
URL tokio-rs/prost#438
Date 2021-07-08
Patched versions >=0.8.0

Affected versions of this crate contained a bug in which untrusted input could cause an overflow and panic when converting a Timestamp to SystemTime.

It is recommended to upgrade to prost-types v0.8 and switch the usage of From<Timestamp> for SystemTime to TryFrom<Timestamp> for SystemTime.

See #438 for more information.

See advisory page for additional details.
@l1h3r l1h3r added the Dependencies Issues related to an update of a dependency file label Jul 14, 2021
@JelleMillenaar
Copy link
Collaborator

@cycraig I believe you already looked at this? Didn't we just have to wait for tokio to update a dependency? Does that mean we close this or do we keep it open to remind ourselves to update tokio?

@cycraig
Copy link
Contributor

cycraig commented Oct 19, 2021

The dependency is libp2p I think and it has since been updated to use a later version of prost-build and prost-types.

I do wonder whether we need to change our usage of SystemTime in libjose to avoid the same issue, however:

impl TimeCop {
  /// Creates a new `TimeCop`.
  pub const fn new() -> Self {
    Self {
      current: None,
      max_iat: None,
      min_iat: None,
    }
  }

  pub fn set_current(&mut self, value: impl Into<SystemTime>) {
    self.current = Some(value.into());
  }

Since Into<SystemTime> could be vulnerable depending on what implements it. We don't use TimeCop::set_current anywhere so maybe the function should be removed to avoid any potential problems down the line?

@cycraig cycraig mentioned this issue Oct 19, 2021
Merged
10 tasks
@cycraig cycraig linked a pull request Oct 21, 2021 that will close this issue
Update TimeCop to avoid Into<SystemTime> #444
Merged
10 tasks
@cycraig cycraig removed a link to a pull request Oct 21, 2021
Update TimeCop to avoid Into<SystemTime> #444
Merged
10 tasks
@cycraig cycraig closed this as completed Oct 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cycraig cycraig

Labels
Dependencies Issues related to an update of a dependency file
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@l1h3r @cycraig @JelleMillenaar