Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix some ./cargo audit vulnerabilities. #13728

Merged
merged 1 commit into from
Nov 29, 2021

Conversation

jsirois
Copy link
Contributor

@jsirois jsirois commented Nov 29, 2021

This fixes 4 errors and 1 warning leaving 2 errors with no current
solution and 5 warnings.

Besides the manual direct time dep upgrades, ran:

./cargo update \
    -p crossbeam-deque \
    -p nix \
    -p time \
    -p tokio \
    -p crossbeam-epoch

[ci skip-build-wheels]

This fixes 4 errors and 1 warning leaving 2 errors with no current
solution and 5 warnings.

Besides the manual direct `time` dep upgrades, ran:
```
./cargo update \
    -p crossbeam-deque \
    -p nix \
    -p time \
    -p tokio \
    -p crossbeam-epoch
```

[ci skip-build-wheels]
@jsirois
Copy link
Contributor Author

jsirois commented Nov 29, 2021

The most recent audit cron job failure is here: https://github.com/pantsbuild/pants/runs/4344613379?check_suite_focus=true

$ ./cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 374 security advisories (from /home/jsirois/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (379 crate dependencies)
Crate:         chrono
Version:       0.4.19
Title:         Potential segfault in `localtime_r` invocations
Date:          2020-11-10
ID:            RUSTSEC-2020-0159
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:      No safe upgrade is available!
Dependency tree: 
chrono 0.4.19
└── logging 0.0.1
    ├── ui 0.0.1
    │   └── engine 0.0.1
    └── engine 0.0.1

Crate:         crossbeam-deque
Version:       0.8.0
Title:         Data race in crossbeam-deque
Date:          2021-07-30
ID:            RUSTSEC-2021-0093
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0093
Solution:      Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1
Dependency tree: 
crossbeam-deque 0.8.0
├── rayon-core 1.9.0
│   └── rayon 1.5.0
│       ├── sysinfo 0.17.5
│       │   └── client 0.0.1
│       └── criterion 0.3.3
│           └── store 0.1.0
│               ├── process_executor 0.0.1
│               ├── process_execution 0.0.1
│               │   ├── process_executor 0.0.1
│               │   └── engine 0.0.1
│               ├── fs_util 0.0.1
│               ├── engine 0.0.1
│               └── brfs 0.0.1
└── rayon 1.5.0

Crate:         nix
Version:       0.20.0
Title:         Out-of-bounds write in nix::unistd::getgrouplist
Date:          2021-09-27
ID:            RUSTSEC-2021-0119
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0119
Solution:      Upgrade to >=0.20.2, <0.21.0 OR >=0.21.2, <0.22.0 OR >=0.22.2, <0.23.0 OR >=0.23.0
Dependency tree: 
nix 0.20.0
├── process_execution 0.0.1
│   ├── process_executor 0.0.1
│   └── engine 0.0.1
└── client 0.0.1

Crate:         time
Version:       0.1.44
Title:         Potential segfault in the time crate
Date:          2020-11-18
ID:            RUSTSEC-2020-0071
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:      Upgrade to >=0.2.23
Dependency tree: 
time 0.1.44
├── engine 0.0.1
├── chrono 0.4.19
│   └── logging 0.0.1
│       ├── ui 0.0.1
│       │   └── engine 0.0.1
│       └── engine 0.0.1
└── brfs 0.0.1

Crate:         tokio
Version:       1.12.0
Title:         Data race when sending and receiving after closing a `oneshot` channel
Date:          2021-11-16
ID:            RUSTSEC-2021-0124
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0124
Solution:      Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1
Dependency tree: 
tokio 1.12.0
├── workunit_store 0.0.1
│   ├── ui 0.0.1
│   │   └── engine 0.0.1
│   ├── task_executor 0.0.1
│   │   ├── watch 0.0.1
│   │   │   └── engine 0.0.1
│   │   ├── ui 0.0.1
│   │   ├── store 0.1.0
│   │   │   ├── process_executor 0.0.1
│   │   │   ├── process_execution 0.0.1
│   │   │   │   ├── process_executor 0.0.1
│   │   │   │   └── engine 0.0.1
│   │   │   ├── fs_util 0.0.1
│   │   │   ├── engine 0.0.1
│   │   │   └── brfs 0.0.1
│   │   ├── sharded_lmdb 0.0.1
│   │   │   ├── store 0.1.0
│   │   │   ├── process_execution 0.0.1
│   │   │   └── cache 0.0.1
│   │   │       ├── process_execution 0.0.1
│   │   │       └── engine 0.0.1
│   │   ├── process_executor 0.0.1
│   │   ├── process_execution 0.0.1
│   │   ├── nailgun 0.0.1
│   │   │   ├── engine 0.0.1
│   │   │   └── client 0.0.1
│   │   ├── graph 0.0.1
│   │   │   └── engine 0.0.1
│   │   ├── fs_util 0.0.1
│   │   ├── fs 0.0.1
│   │   │   ├── watch 0.0.1
│   │   │   ├── testutil 0.0.1
│   │   │   │   ├── watch 0.0.1
│   │   │   │   ├── store 0.1.0
│   │   │   │   ├── process_execution 0.0.1
│   │   │   │   ├── mock 0.0.1
│   │   │   │   │   ├── store 0.1.0
│   │   │   │   │   ├── process_execution 0.0.1
│   │   │   │   │   ├── local_execution_server 0.1.0
│   │   │   │   │   ├── local_cas 0.0.1
│   │   │   │   │   └── engine 0.0.1
│   │   │   │   ├── fs 0.0.1
│   │   │   │   ├── engine 0.0.1
│   │   │   │   └── brfs 0.0.1
│   │   │   ├── store 0.1.0
│   │   │   ├── sharded_lmdb 0.0.1
│   │   │   ├── process_executor 0.0.1
│   │   │   ├── process_execution 0.0.1
│   │   │   ├── fs_util 0.0.1
│   │   │   └── engine 0.0.1
│   │   ├── engine 0.0.1
│   │   ├── cache 0.0.1
│   │   └── brfs 0.0.1
│   ├── store 0.1.0
│   ├── process_executor 0.0.1
│   ├── process_execution 0.0.1
│   ├── fs_util 0.0.1
│   ├── engine 0.0.1
│   └── brfs 0.0.1
├── watch 0.0.1
├── tower 0.4.8
│   ├── tonic 0.6.1
│   │   ├── store 0.1.0
│   │   ├── protos 0.0.1
│   │   │   ├── testutil 0.0.1
│   │   │   ├── store 0.1.0
│   │   │   ├── process_executor 0.0.1
│   │   │   ├── process_execution 0.0.1
│   │   │   ├── mock 0.0.1
│   │   │   ├── local_execution_server 0.1.0
│   │   │   ├── fs_util 0.0.1
│   │   │   ├── engine 0.0.1
│   │   │   ├── cache 0.0.1
│   │   │   └── brfs 0.0.1
│   │   ├── process_execution 0.0.1
│   │   ├── mock 0.0.1
│   │   └── grpc_util 0.0.1
│   │       ├── testutil 0.0.1
│   │       ├── store 0.1.0
│   │       ├── process_executor 0.0.1
│   │       ├── process_execution 0.0.1
│   │       ├── mock 0.0.1
│   │       ├── fs_util 0.0.1
│   │       ├── engine 0.0.1
│   │       ├── cache 0.0.1
│   │       └── brfs 0.0.1
│   └── grpc_util 0.0.1
├── tonic 0.6.1
├── tokio-util 0.6.7
│   ├── tower 0.4.8
│   ├── tonic 0.6.1
│   ├── process_execution 0.0.1
│   ├── nails 0.12.0
│   │   ├── process_execution 0.0.1
│   │   └── nailgun 0.0.1
│   ├── h2 0.3.3
│   │   ├── tonic 0.6.1
│   │   └── hyper 0.14.14
│   │       ├── tonic 0.6.1
│   │       ├── reqwest 0.11.4
│   │       │   └── engine 0.0.1
│   │       ├── mock 0.0.1
│   │       ├── hyper-timeout 0.4.1
│   │       │   └── tonic 0.6.1
│   │       ├── hyper-rustls 0.22.1
│   │       │   └── reqwest 0.11.4
│   │       └── grpc_util 0.0.1
│   ├── grpc_util 0.0.1
│   └── engine 0.0.1
├── tokio-stream 0.1.7
│   ├── tower 0.4.8
│   ├── tonic 0.6.1
│   └── brfs 0.0.1
├── tokio-rustls 0.22.0
│   ├── tonic 0.6.1
│   ├── store 0.1.0
│   ├── reqwest 0.11.4
│   ├── process_execution 0.0.1
│   ├── hyper-rustls 0.22.1
│   └── grpc_util 0.0.1
├── tokio-io-timeout 1.1.1
│   └── hyper-timeout 0.4.1
├── task_executor 0.0.1
├── store 0.1.0
├── stdio 0.0.1
│   ├── ui 0.0.1
│   ├── task_executor 0.0.1
│   ├── logging 0.0.1
│   │   ├── ui 0.0.1
│   │   └── engine 0.0.1
│   └── engine 0.0.1
├── sharded_lmdb 0.0.1
├── reqwest 0.11.4
├── process_executor 0.0.1
├── process_execution 0.0.1
├── nails 0.12.0
├── nailgun 0.0.1
├── mock 0.0.1
├── logging 0.0.1
├── hyper-timeout 0.4.1
├── hyper-rustls 0.22.1
├── hyper 0.14.14
├── h2 0.3.3
├── grpc_util 0.0.1
├── graph 0.0.1
├── fs_util 0.0.1
├── fs 0.0.1
├── engine 0.0.1
├── client 0.0.1
├── brfs 0.0.1
├── async_value 0.0.1
│   └── graph 0.0.1
├── async_semaphore 0.0.1
│   ├── process_execution 0.0.1
│   └── engine 0.0.1
└── async_latch 0.0.1
    ├── nailgun 0.0.1
    └── engine 0.0.1

Crate:         anymap
Version:       0.12.1
Warning:       unmaintained
Title:         anymap is unmaintained.
Date:          2021-05-07
ID:            RUSTSEC-2021-0065
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0065
Dependency tree: 
anymap 0.12.1
└── notify 5.0.0-pre.3
    └── watch 0.0.1
        └── engine 0.0.1

Crate:         cpuid-bool
Version:       0.1.2
Warning:       unmaintained
Title:         `cpuid-bool` has been renamed to `cpufeatures`
Date:          2021-05-06
ID:            RUSTSEC-2021-0064
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0064
Dependency tree: 
cpuid-bool 0.1.2
└── sha2 0.9.2
    ├── process_execution 0.0.1
    │   ├── process_executor 0.0.1
    │   └── engine 0.0.1
    ├── hashing 0.0.1
    │   ├── workunit_store 0.0.1
    │   │   ├── ui 0.0.1
    │   │   │   └── engine 0.0.1
    │   │   ├── task_executor 0.0.1
    │   │   │   ├── watch 0.0.1
    │   │   │   │   └── engine 0.0.1
    │   │   │   ├── ui 0.0.1
    │   │   │   ├── store 0.1.0
    │   │   │   │   ├── process_executor 0.0.1
    │   │   │   │   ├── process_execution 0.0.1
    │   │   │   │   ├── fs_util 0.0.1
    │   │   │   │   ├── engine 0.0.1
    │   │   │   │   └── brfs 0.0.1
    │   │   │   ├── sharded_lmdb 0.0.1
    │   │   │   │   ├── store 0.1.0
    │   │   │   │   ├── process_execution 0.0.1
    │   │   │   │   └── cache 0.0.1
    │   │   │   │       ├── process_execution 0.0.1
    │   │   │   │       └── engine 0.0.1
    │   │   │   ├── process_executor 0.0.1
    │   │   │   ├── process_execution 0.0.1
    │   │   │   ├── nailgun 0.0.1
    │   │   │   │   ├── engine 0.0.1
    │   │   │   │   └── client 0.0.1
    │   │   │   ├── graph 0.0.1
    │   │   │   │   └── engine 0.0.1
    │   │   │   ├── fs_util 0.0.1
    │   │   │   ├── fs 0.0.1
    │   │   │   │   ├── watch 0.0.1
    │   │   │   │   ├── testutil 0.0.1
    │   │   │   │   │   ├── watch 0.0.1
    │   │   │   │   │   ├── store 0.1.0
    │   │   │   │   │   ├── process_execution 0.0.1
    │   │   │   │   │   ├── mock 0.0.1
    │   │   │   │   │   │   ├── store 0.1.0
    │   │   │   │   │   │   ├── process_execution 0.0.1
    │   │   │   │   │   │   ├── local_execution_server 0.1.0
    │   │   │   │   │   │   ├── local_cas 0.0.1
    │   │   │   │   │   │   └── engine 0.0.1
    │   │   │   │   │   ├── fs 0.0.1
    │   │   │   │   │   ├── engine 0.0.1
    │   │   │   │   │   └── brfs 0.0.1
    │   │   │   │   ├── store 0.1.0
    │   │   │   │   ├── sharded_lmdb 0.0.1
    │   │   │   │   ├── process_executor 0.0.1
    │   │   │   │   ├── process_execution 0.0.1
    │   │   │   │   ├── fs_util 0.0.1
    │   │   │   │   └── engine 0.0.1
    │   │   │   ├── engine 0.0.1
    │   │   │   ├── cache 0.0.1
    │   │   │   └── brfs 0.0.1
    │   │   ├── store 0.1.0
    │   │   ├── process_executor 0.0.1
    │   │   ├── process_execution 0.0.1
    │   │   ├── fs_util 0.0.1
    │   │   ├── engine 0.0.1
    │   │   └── brfs 0.0.1
    │   ├── watch 0.0.1
    │   ├── testutil 0.0.1
    │   ├── store 0.1.0
    │   ├── sharded_lmdb 0.0.1
    │   ├── protos 0.0.1
    │   │   ├── testutil 0.0.1
    │   │   ├── store 0.1.0
    │   │   ├── process_executor 0.0.1
    │   │   ├── process_execution 0.0.1
    │   │   ├── mock 0.0.1
    │   │   ├── local_execution_server 0.1.0
    │   │   ├── fs_util 0.0.1
    │   │   ├── engine 0.0.1
    │   │   ├── cache 0.0.1
    │   │   └── brfs 0.0.1
    │   ├── process_executor 0.0.1
    │   ├── process_execution 0.0.1
    │   ├── mock 0.0.1
    │   ├── fs_util 0.0.1
    │   ├── fs 0.0.1
    │   ├── engine 0.0.1
    │   ├── cache 0.0.1
    │   └── brfs 0.0.1
    └── client 0.0.1

Crate:         memmap
Version:       0.7.0
Warning:       unmaintained
Title:         memmap is unmaintained
Date:          2020-12-02
ID:            RUSTSEC-2020-0077
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0077
Dependency tree: 
memmap 0.7.0
└── store 0.1.0
    ├── process_executor 0.0.1
    ├── process_execution 0.0.1
    │   ├── process_executor 0.0.1
    │   └── engine 0.0.1
    ├── fs_util 0.0.1
    ├── engine 0.0.1
    └── brfs 0.0.1

Crate:         net2
Version:       0.2.37
Warning:       unmaintained
Title:         `net2` crate has been deprecated; use `socket2` instead
Date:          2020-05-01
ID:            RUSTSEC-2020-0016
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree: 
net2 0.2.37
├── miow 0.2.2
└── mio 0.6.23

Crate:         crossbeam-deque
Version:       0.8.0
Warning:       yanked

Crate:         crossbeam-epoch
Version:       0.9.1
Warning:       yanked
Dependency tree: 
crossbeam-epoch 0.9.1
└── crossbeam-deque 0.8.0
    ├── rayon-core 1.9.0
    │   └── rayon 1.5.0
    │       ├── sysinfo 0.17.5
    │       │   └── client 0.0.1
    │       └── criterion 0.3.3
    │           └── store 0.1.0
    │               ├── process_executor 0.0.1
    │               ├── process_execution 0.0.1
    │               │   ├── process_executor 0.0.1
    │               │   └── engine 0.0.1
    │               ├── fs_util 0.0.1
    │               ├── engine 0.0.1
    │               └── brfs 0.0.1
    └── rayon 1.5.0

error: 5 vulnerabilities found!
warning: 6 allowed warnings found

@@ -3325,6 +3318,15 @@ dependencies = [
"winapi 0.3.9",
]

[[package]]
name = "time"
version = "0.3.5"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like time v0.1.44 is still in the dependency graph?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is, but - afaict - that's not changeable without fixing its dependee chain which includes chrono which has no further upgrade available.

@@ -157,9 +157,9 @@ dependencies = [

[[package]]
name = "bitflags"
version = "1.3.2"
version = "1.2.1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Downgrade intended?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was automated via the command in the PR description, so I assume yes.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one is weird - all deps are un-pinned... I'm going to try nuking my registry and re-running.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess I can try running individual updates with --precise after 1st learning solutions via --dry-run...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aha - its the nix 0.20.0 -> 0.20.2. That nix has an upper bound on bitflags which forces the downgrade: https://github.com/nix-rust/nix/blob/v0.20.2/Cargo.toml

I can update our nix dep to latest manually (0.23) in two spots and the downgrade of bitflags disappears. I'll hang back though since this is all a bit messy and only partially fixes vulnerabilities. It looks like we've had failures for 3+ months.

@jsirois jsirois merged commit 96a9bd9 into pantsbuild:main Nov 29, 2021
@jsirois jsirois deleted the rustsec/updates branch November 29, 2021 19:47
illicitonion added a commit that referenced this pull request Dec 7, 2021
Internal changes:

* [internal] Remove superfluous f-string specifiers ([#13821](#13821))

* [internal] scala: extract annotations as consumed types ([#13810](#13810))

* [jvm] Split nailgun digest from input file digests ([#13813](#13813))

* [internal] jvm: add jre_major_version and use stderr to properly extract version ([#13812](#13812))

* [internal] Clean up Go `embed` support's handling of dependencies ([#13801](#13801))

* [internal] scala: handle package object syntax in parser ([#13809](#13809))

* [internal] java: fix junit sentinel rule setup ([#13815](#13815))

* [internal] upgrade to rust v1.57.0 ([#13807](#13807))

* [internal] add failing test for FrozenDict equality issue ([#13389](#13389))

* [internal] Use `PyObject` instead of `Value` in more places ([#13802](#13802))

* Remove MultiPlatform Process abstractions ([#12725](#12725))

* [internal] add `JvmToolBase` for lockfile handling for JVM tools ([#13777](#13777))

* [internal] Port `MergeDigests` to Rust ([#13773](#13773))

* [jvm] Spawn nailgun servers outside the pool lock ([#13796](#13796))

* [internal] DRY loading internal Go binaries ([#13800](#13800))

* [internal] Convert unit tests to use pytest ([#13798](#13798))

* [internal] remove dead code - socket util. ([#13797](#13797))

* [internal] Reorganize Go parser scripts ([#13791](#13791))

* Adds Jackson core/datatype to `JVM_ARTIFACT_MAPPINGS` ([#13792](#13792))

* [internal] go: initial support for embedding resources ([#13743](#13743))

* [internal] Refer to `go.mod` path when downloading packages ([#13786](#13786))

* [internal] More robust Go dependency inference tests ([#13785](#13785))

* [internal] `tailor` doesn't add `go_package` for `testdata` folder ([#13783](#13783))

* [internal] Add Scala backend to dryrun for wheel builds. ([#13772](#13772))

* [internal] Unify JVM thirdparty resolves ([#13771](#13771))

* [internal] scala: infer dependencies from consumed symbols and intermediate scopes ([#13758](#13758))

* [internal] java: infer scala encoded symbols ([#13739](#13739))

* [internal] scala: parse and report package scopes ([#13738](#13738))

* [internal] go: configure included env vars for `GoSdkProcess` ([#13734](#13734))

* Fix some `./cargo audit` vulnerabilities. ([#13728](#13728))

* [internal] fix non-empty __init__.py ([#13730](#13730))

* Compute RepositoryPex directly from addresses. ([#13716](#13716))

* Upgrade to cargo-audit 0.16.0. ([#13729](#13729))

* Simplify `NativeHandler`. ([#13727](#13727))

* [internal] Switch to a maintained fork of the `fuse` crate for `brfs`. ([#13679](#13679))

* [internal] Add infrastructure to support deprecating field names ([#13666](#13666))

* [internal] Introduce OptionalPex/OptionalPexRequest. ([#13712](#13712))

* [internal] tailor adds go_package targets ([#13703](#13703))

* [internal] Remove unused testproject for pants-plugin ([#13704](#13704))

* [internal] Rename ambiguous `subpath` variable for Go code ([#13701](#13701))

* [internal] scala: generate the JVM names seen by Java code for Scala code ([#13696](#13696))

* Use RequirementsPexRequest in run_pex_binary.py. ([#13693](#13693))

* [internal] Refactor finding owning `go_mod` for first-party packages ([#13695](#13695))

* [internal] repl: add append_only_caches / run_in_workspace attributes to ReplRequest ([#13599](#13599))

* [internal] switch back to official `cargo-ensure-prefix` crate ([#13692](#13692))

* [internal] scala: extract type names from all Type.* AST nodes ([#13685](#13685))

* [internal] Convert unit tests to use pytest ([#13652](#13652))

* Unblock codegen support for java export analysis (#13645) ([#13675](#13675))

* [internal] upgrade to Rust 2021 Edition ([#13644](#13644))

* [internal] Don't store derived values on `go_first_party_package` targets ([#13676](#13676))

* Upgrade to py03 0.15.1. ([#13725](#13725))

* Add PyPDF2 to module mapping ([#13717](#13717))

* Upgrade console and indacatif. ([#13726](#13726))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants