Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use patched protobuf with RUSTSEC-2019-0003 fix. #7770

Merged
merged 1 commit into from
May 20, 2019
Merged

Use patched protobuf with RUSTSEC-2019-0003 fix. #7770

merged 1 commit into from
May 20, 2019

Conversation

jsirois
Copy link
Contributor

@jsirois jsirois commented May 20, 2019

A crates index patch was needed here to ensure both our crates and
transitive dependent crates saw the same rust-protobuf. Without this we
hit many errors like:

   Compiling bazel_protos v0.0.1 (/home/jsirois/dev/pantsbuild/jsirois-pants/src/rust/engine/process_execution/bazel_protos)
error[E0277]: the trait bound `gen::bytestream::ReadRequest: protobuf::core::Message` is not satisfied
  --> process_execution/bazel_protos/src/gen/bytestream_grpc.rs:23:42
   |
23 |     req_mar: ::grpcio::Marshaller { ser: ::grpcio::pb_ser, de: ::grpcio::pb_de },
   |                                          ^^^^^^^^^^^^^^^^ the trait `protobuf::core::Message` is not implemented for `gen::bytestream::ReadRequest`
   |
   = note: required by `grpcio::codec::pb_codec::ser`

Fixes #7760

@jsirois
Use patched protobuf with RUSTSEC-2019-0003 fix.
9e93f6e 
A crates index patch was needed here to ensure both our crates and
transitive dependent crates saw the same rust-protobuf. Without this we
hit many errors like:
```
   Compiling bazel_protos v0.0.1 (/home/jsirois/dev/pantsbuild/jsirois-pants/src/rust/engine/process_execution/bazel_protos)
error[E0277]: the trait bound `gen::bytestream::ReadRequest: protobuf::core::Message` is not satisfied
  --> process_execution/bazel_protos/src/gen/bytestream_grpc.rs:23:42
   |
23 |     req_mar: ::grpcio::Marshaller { ser: ::grpcio::pb_ser, de: ::grpcio::pb_de },
   |                                          ^^^^^^^^^^^^^^^^ the trait `protobuf::core::Message` is not implemented for `gen::bytestream::ReadRequest`
   |
   = note: required by `grpcio::codec::pb_codec::ser`
```

Fixes pantsbuild#7760
jsirois
jsirois commented May 20, 2019
View reviewed changes
src/rust/engine/fs/Cargo.toml
@@ -24,7 +24,7 @@ lazy_static = "1"
lmdb = { git = "https://github.com/pantsbuild/lmdb-rs.git", rev = "06bdfbfc6348f6804127176e561843f214fc17f8" }
log = "0.4"
parking_lot = "0.6"
protobuf = { version = "2.0.4", features = ["with-bytes"] }
protobuf = { version = "2.0.6", features = ["with-bytes"] }
Copy link
Contributor Author

@jsirois jsirois May 20, 2019
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NB: We already were being floated up to 2.0.6 by cargo (see Cargo.lock) - I just edited these to make it more clear how the cargo index patch applies.

Eric-Arellano
Eric-Arellano approved these changes May 20, 2019
View reviewed changes
Copy link
Contributor

@Eric-Arellano Eric-Arellano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can kill this --ignore flag below now, right?

pants/build-support/bin/ci.sh

Lines 258 to 263 in 91a88ba

# TODO(John Sirois): Kill --ignore RUSTSEC-2019-0003 when we can upgrade to an official released
# version of protobuf with a fix.
# See: https://github.com/pantsbuild/pants/issues/7760 for context.
"${REPO_ROOT}/build-support/bin/native/cargo" audit \
-f "${REPO_ROOT}/src/rust/engine/Cargo.lock" \
--ignore RUSTSEC-2019-0003

While the TODO says to wait until the official patch is landed, with us now using Pants' version of protobuf I think we can clean that part up now. The only remaining cleanup once the patch lands would be to update Cargo.toml.

@jsirois jsirois mentioned this pull request May 20, 2019
Closed
@jsirois
Copy link
Contributor Author

jsirois commented May 20, 2019

I think we can kill this --ignore flag below now, right?

Nope. There is no remedy recognized by the database. We'd need to clone the database, edit RUSTSEC-2019-0003 and cron refreshes of the db.

Edit: They just committed remedies: https://github.com/RustSec/advisory-db/commits/master/crates/protobuf/RUSTSEC-2019-0003.toml however we'll need to upgrade through several minor versions to get there. I've filed #7771 to track that yak. I need to be moving on at the moment to other work.

@jsirois jsirois merged commit d4d8f4c into pantsbuild:master May 20, 2019
@jsirois jsirois deleted the issues/7760 branch May 20, 2019 20:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stuhood stuhood stuhood approved these changes

@Eric-Arellano Eric-Arellano Eric-Arellano approved these changes

@illicitonion illicitonion Awaiting requested review from illicitonion

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OOM vulnerability in protobuf 2.0.6: RUSTSEC-2019-0003
3 participants
@jsirois @stuhood @Eric-Arellano