cargo audit reports RUSTSEC-2020-0004 issue with lucet-runtime-internals
Categories
(Core :: Security, task, P4)
Tracking
()
People
(Reporter: vladikoff, Unassigned)
References
Details
Running cargo audit in the mozilla-central tree reports the following error:
error: Vulnerable crates found!
ID: RUSTSEC-2020-0004
Crate: lucet-runtime-internals
Version: 0.1.1
Date: 2020-01-24
URL: https://rustsec.org/advisories/RUSTSEC-2020-0004
Title: sigstack allocation bug can cause memory corruption or leak
Solution: upgrade to < 0.5.0, >= 0.4.3 OR >= 0.5.1
Dependency tree:
lucet-runtime-internals 0.1.1
├── rlbox_lucet_sandbox 0.1.0
│ └── gkrust-shared 0.1.0
│ ├── gkrust-gtest 0.1.0
│ └── gkrust 0.1.0
├── lucet-wasi 0.1.1
│ └── rlbox_lucet_sandbox 0.1.0
└── lucet-runtime 0.1.1
├── rlbox_lucet_sandbox 0.1.0
└── lucet-wasi 0.1.1
I didn't find a tracking issue to fix this in the tree yet
|
||
Comment 1•4 years ago
|
||
Nathan or Tom: Is there a better component for the rlbox work? Who else should be CC'd
|
||
Comment 2•4 years ago
|
||
Shravan and Deian (cc'd) are our contacts at UCSD for this work. We verified earlier this month that RUSTSEC-2020-0004 had been patched in the fork that we have. It's not great that cargo audit turns this up, as I'm sure we're going to keep getting requests until we sync with upstream...
Core :: XPCOM might be slightly better than Core :: Security, but either one works, I guess.
|
|
||
Comment 3•4 years ago
|
||
The advisory is public, lots of folks run cargo audit, and we don't think we have a real security bug here: let's unhide the bug to forestall lots of dupes and to reassure people who see the warnings (I was talking this morning with someone who was worried about this warning).
|
Reporter | |
Comment 4•4 years ago
|
||
:+1: Sounds good!
|
|
||
Comment 5•4 years ago
|
||
Bug 1640782 should take care of the naming issue, which should placate cargo audit.
|
|
||
Updated•4 years ago
|
Description
•