Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix stdweb audit advisotry RUSTSEC-2020-0056 #85

Closed
notmandatory opened this issue Apr 28, 2022 · 6 comments · Fixed by #139
Closed

Fix stdweb audit advisotry RUSTSEC-2020-0056 #85

notmandatory opened this issue Apr 28, 2022 · 6 comments · Fixed by #139
Assignees
@rajarshimaitra

Comments

@notmandatory
Copy link
Member 

% cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 405 security advisories (from /home/steve/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (238 crate dependencies)
Crate:         stdweb
Version:       0.4.20
Warning:       unmaintained
Title:         stdweb is unmaintained
Date:          2020-05-04
ID:            RUSTSEC-2020-0056
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree: 
stdweb 0.4.20
└── time 0.2.27
    ├── cookie_store 0.12.0
    │   └── ureq 1.5.5
    └── cookie 0.14.4
        ├── ureq 1.5.5
        └── cookie_store 0.12.0

warning: 1 allowed warning found
@notmandatory notmandatory moved this to Todo in BDK-CLI Roadmap Apr 28, 2022
@notmandatory notmandatory mentioned this issue Apr 28, 2022
Merged
9 tasks
@rajarshimaitra
Copy link
Contributor

rajarshimaitra commented Apr 29, 2022
edited
Loading

I think I found the bottom of this hole.. The stdweb lib was a complex JS to Rust link library and I have no clue why they needed it in time. And now its saying unmaintained so even a more higher vulnerability.

Recent version of time removes stdweb from its dep. And recent ureq ~2.2.0 updates the change.

The problem is occurring from ureq 1.5.5 which uses a lower version of time which still has stdweb , and it's only requirement of bitcoind.

bdk-cli/Cargo.lock

Lines 266 to 280 in 8d14cf5

[[package]]
name = "bitcoind"
version = "0.20.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "65ddc41af9556a341c909bc71de33e16da52bf5f8dbda6b7a402054c60bdb722"
dependencies = [
"bitcoin_hashes 0.10.0",
"bitcoincore-rpc",
"flate2",
"home",
"log",
"tar",
"tempfile",
"ureq 1.5.5",
]

And Ricardo pinned this version for the MSRV constraint.

https://github.com/RCasatta/bitcoind/blob/31e88fdb011e37ebec08c710ad994d62d46b42b7/Cargo.toml#L22

So the easiest way to fix is remove the pin in bitcoind and let it use the latest ureq.

cc @RCasatta

UPDATE: The same situation is there for BDK too..

@RCasatta
Copy link
Member

RCasatta commented May 3, 2022

The plan I have in mind is:

@notmandatory
Copy link
Member Author

notmandatory commented May 3, 2022
edited
Loading

On the MSRV question BDK is bumping up to 1.56.0.

Also the focus for the next bdk release 0.19.0 is TP support so also updating bitcoin to 0.28 along with other dependencies doing the same like rust-bitcoincore-rpc. Once BDK 0.19.0 is released the high priority for bdk-cli should be to do the corresponding updates.

This was referenced May 5, 2022
Closed
Closed
notmandatory added a commit that referenced this issue May 6, 2022
@notmandatory
Merge #86: Update miniscript version to 6.1.0
9b2453f 
e2743d1 Update miniscript version to 6.1.0 (Steve Myers)

Pull request description:

  ### Description

  Did a `cargo update` to update `miniscript` dependency in Cargo.lock to `6.1.0` and fix related audit issue.

  ```text
  Crate:         miniscript
  Version:       6.0.1
  Warning:       yanked
  Dependency tree:
  miniscript 6.0.1
  └── bdk 0.17.0
      ├── bdk-reserves 0.17.0
      │   └── bdk-cli 0.5.0
      └── bdk-cli 0.5.0
  ```

  ### Notes to the reviewers

  There is still one audit issue that I can't figure out how to fix, I created #85 to track it.

  ### Checklists

  #### All Submissions:

  * [x] I've signed all my commits
  * [x] I followed the [contribution guidelines](https://github.com/bitcoindevkit/bdk-cli/blob/master/CONTRIBUTING.md)
  * [x] I ran `cargo fmt` and `cargo clippy` before committing

  #### New Features:

  * [ ] I've added tests for the new feature
  * [ ] I've added docs for the new feature
  * [ ] I've updated `CHANGELOG.md`

  #### Bugfixes:

  * [ ] This pull request breaks the existing API
  * [ ] I've added tests to reproduce the issue which are now passing
  * [ ] I'm linking the issue being fixed by this PR

ACKs for top commit:
  rajarshimaitra:
    tACK e2743d1

Tree-SHA512: 0fd9bc7a29faef4477b011d9a9a882f74e7ba70a89b7634742785ebec1933a381d766772922a7c5c76c0460e2c2882c5cc23ff1c66a4edb7d315bcf4890a86ae
@notmandatory notmandatory added this to the Release 0.6.0 milestone Jun 21, 2022
@notmandatory
Copy link
Member Author

I think this will be fixed by #99 so I assigned it to you @rajarshimaitra to confirm. Thanks!

@rajarshimaitra
Copy link
Contributor

It seems its still there with #99

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 417 security advisories (from /home/raj/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (268 crate dependencies)
Crate:         stdweb
Version:       0.4.20
Warning:       unmaintained
Title:         stdweb is unmaintained
Date:          2020-05-04
ID:            RUSTSEC-2020-0056
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree: 
stdweb 0.4.20
└── time 0.2.27
    ├── cookie_store 0.12.0
    │   └── ureq 1.5.5
    └── cookie 0.14.4
        ├── ureq 1.5.5
        └── cookie_store 0.12.0

warning: 1 allowed warning found

@notmandatory
Copy link
Member Author

Moved this one to bdk-cli 0.7.0 since the updated version of bitcoind 0.27.0 isn't released yet.

@RCasatta RCasatta mentioned this issue Aug 25, 2022
Closed
@notmandatory notmandatory modified the milestone: Release 0.7.0 Nov 11, 2022
@notmandatory notmandatory removed this from the Release 0.26.0 milestone Jan 12, 2023
@rajarshimaitra rajarshimaitra mentioned this issue Jan 12, 2023
Merged
3 tasks
@github-project-automation github-project-automation bot moved this from Todo to Done in BDK-CLI Roadmap Jan 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rajarshimaitra rajarshimaitra

Labels
None yet
Projects
BDK-CLI Roadmap
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

update electrsd to v0.22.* rajarshimaitra/bdk-cli
3 participants
@notmandatory @RCasatta @rajarshimaitra