Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

atty dependency has security issue #11416

Closed
cemoktra opened this issue Nov 24, 2022 · 4 comments · Fixed by #11420
Closed

atty dependency has security issue #11416

cemoktra opened this issue Nov 24, 2022 · 4 comments · Fixed by #11420
Labels
A-security Area: security C-bug Category: bug O-windows OS: Windows

Comments

@cemoktra
Copy link

cemoktra commented Nov 24, 2022

Problem

The dependency to atty has a security issue, also atty seems to be unmaintained.

https://rustsec.org/advisories/RUSTSEC-2021-0145

Steps

No response

Possible Solution(s)

Use https://crates.io/crates/is-terminal instead

Notes

No response

Version

0.66.0
@cemoktra cemoktra added the C-bug Category: bug label Nov 24, 2022
@cemoktra cemoktra changed the title atty dependency yanked atty dependency has security issue Nov 24, 2022
epage added a commit to epage/cargo that referenced this issue Nov 24, 2022
This removes one path to `atty`.

Others:
- clap: fixed in 4.0.27
- pretty-env-logger: seanmonstar/pretty-env-logger#52 needs to be resolved first
- snapbox: this will be fixed soonish but is also only a test dependency
- direct dependency

This is part of rust-lang#11416
bors added a commit that referenced this issue Nov 24, 2022
chore: Upgrade to env_logger

This removes one path to `atty`.

Others:
- clap: fixed in 4.0.27
- pretty-env-logger: seanmonstar/pretty-env-logger#52 needs to be resolved first
- snapbox: this will be fixed soonish but is also only a test dependency
- direct dependency

This is part of #11416
@ChrisDenton
Copy link
Member

ChrisDenton commented Nov 24, 2022

As noted in the advisory, official releases of Cargo aren't affected by this particular soundness issue because they don't use an allocator that aligns to less than 8 bytes.

However the maintenance issue is still a concern.

@epage
Copy link
Contributor

epage commented Nov 24, 2022

While cargo-the-bin isn't affected, cargo-the-lib would be and there are people who link against cargod

@weihanglo weihanglo added O-windows OS: Windows A-security Area: security labels Nov 25, 2022
epage added a commit to epage/cargo that referenced this issue Nov 25, 2022
This removes one path to `atty`.

Others:
- clap: fixed in 4.0.27
- pretty-env-logger: seanmonstar/pretty-env-logger#52 needs to be resolved first
- snapbox: this will be fixed soonish but is also only a test dependency
- direct dependency

This is part of rust-lang#11416
bors added a commit that referenced this issue Nov 25, 2022
chore: Upgrade to env_logger

This removes one path to `atty`.

Others:
- clap: fixed in 4.0.27
- pretty-env-logger: seanmonstar/pretty-env-logger#52 needs to be resolved first
- snapbox: this will be fixed soonish but is also only a test dependency
- direct dependency

This is part of #11416
@bors bors closed this as completed in e027c4b Nov 25, 2022
@cemoktra
Copy link
Author

Great is this coming to next rust version or earlier?

@Muscraft
Copy link
Member

This will be in 1.67.0, which should release on January 26 2023 UTC.

The cutoff for 1.66.0 was on October 28 2022 UTC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-security Area: security C-bug Category: bug O-windows OS: Windows
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants