Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CVE-2019-15541 in rustls example code #131

Closed
wants to merge 1 commit into from
Closed

Add CVE-2019-15541 in rustls example code #131

wants to merge 1 commit into from

Conversation

ctz
Copy link
Contributor

@ctz ctz commented Aug 26, 2019

This is a bit of a weird one because it's in example code. No amount of upgrading or downgrading will help for vulnerable downstream crates that copied and built upon the problematic example code. For that reason I've listed pre-patch versions as unaffected_versions -- but I'd appreciate your opinion on this.

@tarcieri
Copy link
Member

That's a tricky one, for sure! I'll run it by the Secure Code WG and see what they think.

@tarcieri
Copy link
Member

Well I'd agree that everyone should upgrade. In general I think this might be a bit noisy a reason for people to do so.

I think it'd be fine to file an advisory for this, but I'd suggest using a VersionReq which won't impact existing users, and publicizing the advisory in other ways.

Otherwise, I think this issue is another good candidate for severity scoring.

@tarcieri
Copy link
Member

@ctz I've been hacking on the rustsec crate a bunch and I'm wondering if it might be worth incorporating a concept of an informational advisory that doesn't impact any particular crate versions and won't show up in cargo-audit, but allows you to leverage RustSec as a way to catalog and distribute it. What do you think about that?

@ctz
Copy link
Contributor Author

ctz commented Aug 29, 2019

That sounds ideal to me.

@tarcieri
Copy link
Member

@ctz cool, I happen to be actively working on the rustsec crate right now so I will try to build that in as a first-class concept. Perhaps we could even figure out a way to make it warn but not error. It seems like an "informational advisory" might also be a good way to warn about things like unmaintained crates:

https://internals.rust-lang.org/t/tracking-unmaintained-crates-using-rustsec/10884

In the meantime we can do a hack like:

patched_versions = [">= 0"]

...to ensure it doesn't actually break anyone's build.

@tarcieri tarcieri mentioned this pull request Aug 29, 2019
Closed
@Shnatsel
Copy link
Member

There are even more reasons not to surface this in cargo-audit, or for that matter anything that parses RustSec DB:

  1. This info should be surfaced to maintainers of directly dependent crates only. If they're found vulnerable, they should get their own RustSec advisories for specific versions. This advisory if landed as-is would also create a non-actionable message to transitively dependent crates, which is a glaring false positive.
  2. There is no way to make this message go away. You're stuck with it essentially forever.

Instead I would open bugs on bug trackers of prominent uses of rustls, and file a CVE to alert companies with their proprietary code.

@ctz
Copy link
Contributor Author

ctz commented Nov 7, 2019

Going to close this, since it was likely an overreaction.

@ctz ctz closed this Nov 7, 2019
@ctz ctz deleted the master branch November 22, 2024 18:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ctz @tarcieri @Shnatsel