-
Notifications
You must be signed in to change notification settings - Fork 381
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Unsurprisingly this has required a bunch of tests to be updated to handle slightly different variations in file path handling - this eventually resulted in me implementing an actual internal snapshot testing package but I've not included that in here since its sizable on its own; so please keep that in mind when reviewing . (see https://github.com/G-Rath/osv-scanner/commit/1273da79e2e26a18d663da482dc5f09258e15c51 for a sneakpeek on what the snapshot-based testing looks like) ~Note that is failing because file -> url path translation is actually busted; I've opened #645 to fix this and you can see the passing CI when both of these changes are merged in #553~ Resolves #603 Resolves #553
- Loading branch information
Showing
13 changed files
with
1,195 additions
and
36 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| **Your dependency is vulnerable to [OSV-2023-72](https://osv.dev/list?q=OSV-2023-72)**. | ||
|
|
||
| ## [OSV-2023-72](https://osv.dev/vulnerability/OSV-2023-72) | ||
|
|
||
| <details> | ||
| <summary>Details</summary> | ||
|
|
||
| > OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56057 | ||
| > | ||
| > ``` | ||
| > Crash type: Heap-buffer-overflow WRITE 4 | ||
| > Crash state: | ||
| > perfetto::trace_processor::TrackEventParser::ParseTrackDescriptor | ||
| > perfetto::trace_processor::TrackEventModule::ParseTracePacketData | ||
| > perfetto::trace_processor::ProtoTraceParser::ParseTracePacket | ||
| > ``` | ||
| > | ||
| </details> | ||
| --- | ||
| ### Affected Packages | ||
| | Source | Package Name | Package Version | | ||
| | --- | --- | --- | | ||
| | lockfile:/usr/local/google/home/rexpan/Documents/Project/engine/deps_flatten.txt | https://fuchsia.googlesource.com/third_party/android.googlesource.com/platform/external/perfetto | b8da07095979310818f0efde2ef3c69ea70d62c5 | | ||
| ## Remediation | ||
| To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below. | ||
| ### Fixed Versions | ||
| | Vulnerability ID | Package Name | Fixed Version | | ||
| | --- | --- | --- | | ||
| | OSV-2023-72 | perfetto | 9a7f09383dd39f19e662d428321ca708a2a600a3 | | ||
| If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an | ||
| `osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency. | ||
| See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/ | ||
| Add or append these values to the following config files to ignore this vulnerability: | ||
| `\usr\local\google\home\rexpan\Documents\Project\engine/osv-scanner.toml` | ||
| ``` | ||
| [[IgnoredVulns]] | ||
| id = "OSV-2023-72" | ||
| reason = "Your reason for ignoring this vulnerability" | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,130 @@ | ||
| **Your dependency is vulnerable to [CVE-2022-24713](https://osv.dev/list?q=CVE-2022-24713)** | ||
| (Also published as: [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013), [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8), ). | ||
|
|
||
| ## [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013) | ||
|
|
||
| <details> | ||
| <summary>Details</summary> | ||
|
|
||
| > The Rust Security Response WG was notified that the `regex` crate did not | ||
| > properly limit the complexity of the regular expressions (regex) it parses. An | ||
| > attacker could use this security issue to perform a denial of service, by | ||
| > sending a specially crafted regex to a service accepting untrusted regexes. No | ||
| > known vulnerability is present when parsing untrusted input with trusted | ||
| > regexes. | ||
| > | ||
| > This issue has been assigned CVE-2022-24713. The severity of this vulnerability | ||
| > is "high" when the `regex` crate is used to parse untrusted regexes. Other uses | ||
| > of the `regex` crate are not affected by this vulnerability. | ||
| > | ||
| > ## Overview | ||
| > | ||
| > The `regex` crate features built-in mitigations to prevent denial of service | ||
| > attacks caused by untrusted regexes, or untrusted input matched by trusted | ||
| > regexes. Those (tunable) mitigations already provide sane defaults to prevent | ||
| > attacks. This guarantee is documented and it's considered part of the crate's | ||
| > API. | ||
| > | ||
| > Unfortunately a bug was discovered in the mitigations designed to prevent | ||
| > untrusted regexes to take an arbitrary amount of time during parsing, and it's | ||
| > possible to craft regexes that bypass such mitigations. This makes it possible | ||
| > to perform denial of service attacks by sending specially crafted regexes to | ||
| > services accepting user-controlled, untrusted regexes. | ||
| > | ||
| > ## Affected versions | ||
| > | ||
| > All versions of the `regex` crate before or equal to 1.5.4 are affected by this | ||
| > issue. The fix is include starting from `regex` 1.5.5. | ||
| > | ||
| > ## Mitigations | ||
| > | ||
| > We recommend everyone accepting user-controlled regexes to upgrade immediately | ||
| > to the latest version of the `regex` crate. | ||
| > | ||
| > Unfortunately there is no fixed set of problematic regexes, as there are | ||
| > practically infinite regexes that could be crafted to exploit this | ||
| > vulnerability. Because of this, we do not recommend denying known problematic | ||
| > regexes. | ||
| > | ||
| > ## Acknowledgements | ||
| > | ||
| > We want to thank Addison Crump for responsibly disclosing this to us according | ||
| > to the [Rust security policy][1], and for helping review the fix. | ||
| > | ||
| > We also want to thank Andrew Gallant for developing the fix, and Pietro Albini | ||
| > for coordinating the disclosure and writing this advisory. | ||
| > | ||
| > [1]: https://www.rust-lang.org/policies/security | ||
| </details> | ||
|
|
||
| ## [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8) | ||
|
|
||
| <details> | ||
| <summary>Details</summary> | ||
|
|
||
| > > This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well. | ||
| > | ||
| > [advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw | ||
| > | ||
| > The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes. | ||
| > | ||
| > This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability. | ||
| > | ||
| > ## Overview | ||
| > | ||
| > The `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. | ||
| > | ||
| > Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. | ||
| > | ||
| > ## Affected versions | ||
| > | ||
| > All versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5. | ||
| > | ||
| > ## Mitigations | ||
| > | ||
| > We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate. | ||
| > | ||
| > Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes. | ||
| > | ||
| > ## Acknowledgements | ||
| > | ||
| > We want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix. | ||
| > | ||
| > We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory. | ||
| </details> | ||
|
|
||
| --- | ||
|
|
||
| ### Affected Packages | ||
|
|
||
| | Source | Package Name | Package Version | | ||
| | --- | --- | --- | | ||
| | lockfile:/path/to/sub-rust-project/Cargo.lock | regex | 1.5.1 | | ||
|
|
||
| ## Remediation | ||
|
|
||
| To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below. | ||
|
|
||
| ### Fixed Versions | ||
|
|
||
| | Vulnerability ID | Package Name | Fixed Version | | ||
| | --- | --- | --- | | ||
| | GHSA-m5pq-gvj9-9vr8 | regex | 1.5.5 | | ||
| | RUSTSEC-2022-0013 | regex | 1.5.5 | | ||
|
|
||
| If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an | ||
| `osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency. | ||
|
|
||
| See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/ | ||
|
|
||
| Add or append these values to the following config files to ignore this vulnerability: | ||
|
|
||
| `\path\to\sub-rust-project/osv-scanner.toml` | ||
|
|
||
| ``` | ||
| [[IgnoredVulns]] | ||
| id = "CVE-2022-24713" | ||
| reason = "Your reason for ignoring this vulnerability" | ||
| ``` |
Oops, something went wrong.