Open Bug 1895915 Opened 5 months ago Updated 5 months ago

Audit cargo audit output

Categories

(Firefox Build System :: General, defect, P3)

defect

Tracking

(Not tracked)

People

(Reporter: tjr, Unassigned)

References

Details

(Keywords: sec-audit)

Running ./mach cargo audit on a recentish checkout gives the following output:

 0:02.73 Crate:     chrono
 0:02.73 Version:   0.4.19
 0:02.73 Title:     Potential segfault in `localtime_r` invocations
 0:02.73 Date:      2020-11-10
 0:02.73 ID:        RUSTSEC-2020-0159
 0:02.73 URL:       https://rustsec.org/advisories/RUSTSEC-2020-0159
 0:02.73 Solution:  Upgrade to >=0.4.20
 0:02.73 Dependency tree:
 0:02.73 chrono 0.4.19
 0:02.73 ├── suggest 0.1.0
 0:02.73 │   └── gkrust-shared 0.1.0
 0:02.73 │       ├── gkrust-gtest 0.1.0
 0:02.73 │       └── gkrust 0.1.0
 0:02.73 ├── mozilla-central-workspace-hack 0.1.0
 0:02.73 │   ├── process_reader 0.1.0
 0:02.73 │   │   ├── mozwer_s 0.1.0
 0:02.73 │   │   └── mozannotation_server 0.1.0
 0:02.73 │   │       └── gkrust-shared 0.1.0
 0:02.73 │   ├── osclientcerts-static 0.1.4
 0:02.73 │   ├── nmhproxy 0.1.0
 0:02.73 │   ├── mozwer_s 0.1.0
 0:02.73 │   ├── jsrust 0.1.0
 0:02.73 │   ├── ipcclientcerts-static 0.1.0
 0:02.73 │   ├── http3server 0.1.1
 0:02.73 │   ├── gkrust-gtest 0.1.0
 0:02.73 │   ├── gkrust 0.1.0
 0:02.73 │   ├── geckodriver 0.34.0
 0:02.73 │   ├── crashreporter 1.0.0
 0:02.73 │   └── builtins-static 0.1.0
 0:02.73 ├── glean-core 60.0.0
 0:02.73 │   └── glean 60.0.0
 0:02.73 │       ├── wr_glyph_rasterizer 0.1.0
 0:02.73 │       │   └── webrender 0.62.0
 0:02.73 │       │       └── webrender_bindings 0.1.0
 0:02.73 │       │           └── gkrust-shared 0.1.0
 0:02.73 │       ├── webrender 0.62.0
 0:02.73 │       ├── fog_control 0.1.0
 0:02.73 │       │   └── gkrust-shared 0.1.0
 0:02.73 │       └── firefox-on-glean 0.1.0
 0:02.73 │           ├── wr_glyph_rasterizer 0.1.0
 0:02.73 │           ├── webrender 0.62.0
 0:02.73 │           ├── jog 0.1.0
 0:02.73 │           │   ├── gkrust-shared 0.1.0
 0:02.73 │           │   └── fog-gtest 0.1.0
 0:02.73 │           │       └── gkrust-gtest 0.1.0
 0:02.73 │           ├── fog_control 0.1.0
 0:02.73 │           ├── fog-gtest 0.1.0
 0:02.73 │           └── data_storage 0.0.1
 0:02.73 │               └── gkrust-shared 0.1.0
 0:02.73 ├── geckodriver 0.34.0
 0:02.73 └── firefox-on-glean 0.1.0
 0:02.73 
 0:02.73 Crate:     h2
 0:02.73 Version:   0.3.22
 0:02.73 Title:     Degradation of service in h2 servers with CONTINUATION Flood
 0:02.73 Date:      2024-04-03
 0:02.73 ID:        RUSTSEC-2024-0332
 0:02.73 URL:       https://rustsec.org/advisories/RUSTSEC-2024-0332
 0:02.73 Solution:  Upgrade to ^0.3.26 OR >=0.4.4
 0:02.73 Dependency tree:
 0:02.73 h2 0.3.22
 0:02.73 └── hyper 0.14.24
 0:02.73     ├── warp 0.3.6
 0:02.73     │   ├── webdriver 0.50.0
 0:02.73     │   │   └── geckodriver 0.34.0
 0:02.73     │   └── crashreporter 1.0.0
 0:02.73     ├── mozilla-central-workspace-hack 0.1.0
 0:02.73     │   ├── process_reader 0.1.0
 0:02.73     │   │   ├── mozwer_s 0.1.0
 0:02.73     │   │   └── mozannotation_server 0.1.0
 0:02.73     │   │       └── gkrust-shared 0.1.0
 0:02.73     │   │           ├── gkrust-gtest 0.1.0
 0:02.73     │   │           └── gkrust 0.1.0
 0:02.73     │   ├── osclientcerts-static 0.1.4
 0:02.73     │   ├── nmhproxy 0.1.0
 0:02.73     │   ├── mozwer_s 0.1.0
 0:02.73     │   ├── jsrust 0.1.0
 0:02.73     │   ├── ipcclientcerts-static 0.1.0
 0:02.73     │   ├── http3server 0.1.1
 0:02.73     │   ├── gkrust-gtest 0.1.0
 0:02.73     │   ├── gkrust 0.1.0
 0:02.73     │   ├── geckodriver 0.34.0
 0:02.73     │   ├── crashreporter 1.0.0
 0:02.73     │   └── builtins-static 0.1.0
 0:02.73     ├── http3server 0.1.1
 0:02.73     └── geckodriver 0.34.0
 0:02.73 
 0:02.73 Crate:     h2
 0:02.73 Version:   0.3.22
 0:02.73 Title:     Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
 0:02.73 Date:      2024-01-17
 0:02.73 ID:        RUSTSEC-2024-0003
 0:02.73 URL:       https://rustsec.org/advisories/RUSTSEC-2024-0003
 0:02.73 Solution:  Upgrade to ^0.3.24 OR >=0.4.2
 0:02.73 
 0:02.73 Crate:     owning_ref
 0:02.73 Version:   0.4.1
 0:02.73 Title:     Multiple soundness issues in `owning_ref`
 0:02.73 Date:      2022-01-26
 0:02.73 ID:        RUSTSEC-2022-0040
 0:02.73 URL:       https://rustsec.org/advisories/RUSTSEC-2022-0040
 0:02.73 Solution:  No fixed upgrade is available!
 0:02.73 Dependency tree:
 0:02.73 owning_ref 0.4.1
 0:02.73 └── style 0.0.1
 0:02.73     ├── stylo_tests 0.0.1
 0:02.73     │   └── gkrust 0.1.0
 0:02.73     └── geckoservo 0.0.1
 0:02.74         └── gkrust-shared 0.1.0
 0:02.74             ├── gkrust-gtest 0.1.0
 0:02.74             └── gkrust 0.1.0
 0:02.74 
 0:02.74 Crate:     remove_dir_all
 0:02.74 Version:   0.5.3
 0:02.74 Title:     Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
 0:02.74 Date:      2023-02-24
 0:02.74 ID:        RUSTSEC-2023-0018
 0:02.74 URL:       https://rustsec.org/advisories/RUSTSEC-2023-0018
 0:02.74 Solution:  Upgrade to >=0.8.0
 0:02.74 Dependency tree:
 0:02.74 remove_dir_all 0.5.3
 0:02.74 └── webrender_bindings 0.1.0
 0:02.74     └── gkrust-shared 0.1.0
 0:02.74         ├── gkrust-gtest 0.1.0
 0:02.74         └── gkrust 0.1.0
 0:02.74 
 0:02.74 Crate:     self_cell
 0:02.74 Version:   0.10.2
 0:02.74 Title:     Insufficient covariance check makes self_cell unsound
 0:02.74 Date:      2023-11-10
 0:02.74 ID:        RUSTSEC-2023-0070
 0:02.74 URL:       https://rustsec.org/advisories/RUSTSEC-2023-0070
 0:02.74 Solution:  Upgrade to >=0.10.3, <1.0.0 OR >=1.0.2
 0:02.74 Dependency tree:
 0:02.74 self_cell 0.10.2
 0:02.74 └── fluent-bundle 0.15.2
 0:02.74     ├── l10nregistry 0.3.0
 0:02.74     │   ├── localization-ffi 0.1.0
 0:02.74     │   │   └── gkrust-shared 0.1.0
 0:02.74     │   │       ├── gkrust-gtest 0.1.0
 0:02.74     │   │       └── gkrust 0.1.0
 0:02.74     │   ├── l10nregistry-ffi 0.1.0
 0:02.74     │   │   ├── localization-ffi 0.1.0
 0:02.74     │   │   ├── l10nregistry-ffi-gtest 0.1.0
 0:02.74     │   │   │   └── gkrust-gtest 0.1.0
 0:02.74     │   │   └── gkrust-shared 0.1.0
 0:02.74     │   └── gkrust-shared 0.1.0
 0:02.74     ├── fluent-fallback 0.7.0
 0:02.74     │   ├── localization-ffi 0.1.0
 0:02.74     │   ├── l10nregistry-ffi 0.1.0
 0:02.74     │   ├── l10nregistry 0.3.0
 0:02.74     │   └── gkrust-shared 0.1.0
 0:02.74     └── fluent 0.16.0
 0:02.74         ├── localization-ffi 0.1.0
 0:02.74         ├── l10nregistry-ffi 0.1.0
 0:02.74         ├── gkrust-shared 0.1.0
 0:02.74         ├── fluent-ffi 0.1.0
 0:02.74         │   ├── localization-ffi 0.1.0
 0:02.74         │   ├── l10nregistry-ffi 0.1.0
 0:02.74         │   └── gkrust-shared 0.1.0
 0:02.74         └── crashreporter 1.0.0
 0:02.74 
 0:02.74 Crate:     shlex
 0:02.74 Version:   1.1.0
 0:02.74 Title:     Multiple issues involving quote API
 0:02.74 Date:      2024-01-21
 0:02.74 ID:        RUSTSEC-2024-0006
 0:02.74 URL:       https://rustsec.org/advisories/RUSTSEC-2024-0006
 0:02.74 Solution:  Upgrade to >=1.3.0
 0:02.74 Dependency tree:
 0:02.74 shlex 1.1.0
 0:02.74 └── bindgen 0.69.4
 0:02.74     ├── style 0.0.1
 0:02.74     │   ├── stylo_tests 0.0.1
 0:02.74     │   │   └── gkrust 0.1.0
 0:02.74     │   └── geckoservo 0.0.1
 0:02.74     │       └── gkrust-shared 0.1.0
 0:02.74     │           ├── gkrust-gtest 0.1.0
 0:02.74     │           └── gkrust 0.1.0
 0:02.74     ├── pkcs11-bindings 0.1.5
 0:02.74     │   ├── rsclientcerts 0.1.0
 0:02.74     │   │   ├── osclientcerts-static 0.1.4
 0:02.74     │   │   └── ipcclientcerts-static 0.1.0
 0:02.74     │   ├── osclientcerts-static 0.1.4
 0:02.74     │   ├── nss-gk-api 0.3.0
 0:02.74     │   │   └── authenticator 0.4.0-alpha.24
 0:02.74     │   │       └── authrs_bridge 0.1.0
 0:02.74     │   │           └── gkrust-shared 0.1.0
 0:02.74     │   ├── ipcclientcerts-static 0.1.0
 0:02.74     │   ├── builtins-static 0.1.0
 0:02.74     │   └── authenticator 0.4.0-alpha.24
 0:02.74     ├── nss-gk-api 0.3.0
 0:02.74     ├── neqo-crypto 0.7.5
 0:02.74     │   ├── neqo_glue 0.1.0
 0:02.74     │   │   └── gkrust-shared 0.1.0
 0:02.74     │   ├── neqo-transport 0.7.5
 0:02.74     │   │   ├── neqo_glue 0.1.0
 0:02.74     │   │   ├── neqo-qpack 0.7.5
 0:02.74     │   │   │   ├── neqo_glue 0.1.0
 0:02.74     │   │   │   ├── neqo-http3 0.7.5
 0:02.74     │   │   │   │   ├── neqo_glue 0.1.0
 0:02.74     │   │   │   │   └── http3server 0.1.1
 0:02.74     │   │   │   └── http3server 0.1.1
 0:02.74     │   │   ├── neqo-http3 0.7.5
 0:02.74     │   │   └── http3server 0.1.1
 0:02.74     │   ├── neqo-qpack 0.7.5
 0:02.74     │   ├── neqo-http3 0.7.5
 0:02.74     │   └── http3server 0.1.1
 0:02.74     ├── mozilla-central-workspace-hack 0.1.0
 0:02.74     │   ├── process_reader 0.1.0
 0:02.74     │   │   ├── mozwer_s 0.1.0
 0:02.74     │   │   └── mozannotation_server 0.1.0
 0:02.74     │   │       └── gkrust-shared 0.1.0
 0:02.74     │   ├── osclientcerts-static 0.1.4
 0:02.74     │   ├── nmhproxy 0.1.0
 0:02.74     │   ├── mozwer_s 0.1.0
 0:02.74     │   ├── jsrust 0.1.0
 0:02.74     │   ├── ipcclientcerts-static 0.1.0
 0:02.74     │   ├── http3server 0.1.1
 0:02.74     │   ├── gkrust-gtest 0.1.0
 0:02.74     │   ├── gkrust 0.1.0
 0:02.74     │   ├── geckodriver 0.34.0
 0:02.74     │   ├── crashreporter 1.0.0
 0:02.74     │   └── builtins-static 0.1.0
 0:02.74     ├── http3server 0.1.1
 0:02.74     ├── gtkbind 0.1.0
 0:02.74     │   └── crashreporter 1.0.0
 0:02.74     ├── gecko-profiler 0.1.0
 0:02.74     │   ├── webrender_bindings 0.1.0
 0:02.74     │   │   └── gkrust-shared 0.1.0
 0:02.74     │   ├── style 0.0.1
 0:02.74     │   ├── mdns_service 0.1.1
 0:02.74     │   │   └── gkrust-shared 0.1.0
 0:02.74     │   ├── gkrust-shared 0.1.0
 0:02.74     │   └── geckoservo 0.0.1
 0:02.74     ├── coreaudio-sys 0.2.14
 0:02.74     │   └── coreaudio-sys-utils 0.1.0
 0:02.74     │       └── cubeb-coreaudio 0.1.0
 0:02.74     │           └── gkrust-shared 0.1.0
 0:02.74     ├── cocoabind 0.1.0
 0:02.74     │   └── crashreporter 1.0.0
 0:02.74     ├── builtins-static 0.1.0
 0:02.74     └── bindgen 0.63.999
 0:02.74         └── ohttp 0.3.1
 0:02.74             ├── oblivious_http 0.1.0
 0:02.74             │   └── gkrust-shared 0.1.0
 0:02.74             └── fog_control 0.1.0
 0:02.74                 └── gkrust-shared 0.1.0
 0:02.74 
 0:02.74 Crate:     time
 0:02.74 Version:   0.1.45
 0:02.74 Title:     Potential segfault in the time crate
 0:02.74 Date:      2020-11-18
 0:02.74 ID:        RUSTSEC-2020-0071
 0:02.74 URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
 0:02.74 Severity:  6.2 (medium)
 0:02.74 Solution:  Upgrade to >=0.2.23
 0:02.74 Dependency tree:
 0:02.74 time 0.1.45
 0:02.74 ├── webrender_api 0.62.0
 0:02.74 │   ├── wr_glyph_rasterizer 0.1.0
 0:02.74 │   │   └── webrender 0.62.0
 0:02.74 │   │       └── webrender_bindings 0.1.0
 0:02.74 │   │           └── gkrust-shared 0.1.0
 0:02.74 │   │               ├── gkrust-gtest 0.1.0
 0:02.74 │   │               └── gkrust 0.1.0
 0:02.74 │   └── webrender 0.62.0
 0:02.74 ├── webrender 0.62.0
 0:02.74 ├── style 0.0.1
 0:02.74 │   ├── stylo_tests 0.0.1
 0:02.74 │   │   └── gkrust 0.1.0
 0:02.74 │   └── geckoservo 0.0.1
 0:02.74 │       └── gkrust-shared 0.1.0
 0:02.74 ├── glean-core 60.0.0
 0:02.74 │   └── glean 60.0.0
 0:02.74 │       ├── wr_glyph_rasterizer 0.1.0
 0:02.74 │       ├── webrender 0.62.0
 0:02.74 │       ├── fog_control 0.1.0
 0:02.74 │       │   └── gkrust-shared 0.1.0
 0:02.74 │       └── firefox-on-glean 0.1.0
 0:02.74 │           ├── wr_glyph_rasterizer 0.1.0
 0:02.75 │           ├── webrender 0.62.0
 0:02.75 │           ├── jog 0.1.0
 0:02.75 │           │   ├── gkrust-shared 0.1.0
 0:02.75 │           │   └── fog-gtest 0.1.0
 0:02.75 │           │       └── gkrust-gtest 0.1.0
 0:02.75 │           ├── fog_control 0.1.0
 0:02.75 │           ├── fog-gtest 0.1.0
 0:02.75 │           └── data_storage 0.0.1
 0:02.75 │               └── gkrust-shared 0.1.0
 0:02.75 ├── chrono 0.4.19
 0:02.75 │   ├── suggest 0.1.0
 0:02.75 │   │   └── gkrust-shared 0.1.0
 0:02.75 │   ├── mozilla-central-workspace-hack 0.1.0
 0:02.75 │   │   ├── process_reader 0.1.0
 0:02.75 │   │   │   ├── mozwer_s 0.1.0
 0:02.75 │   │   │   └── mozannotation_server 0.1.0
 0:02.75 │   │   │       └── gkrust-shared 0.1.0
 0:02.75 │   │   ├── osclientcerts-static 0.1.4
 0:02.75 │   │   ├── nmhproxy 0.1.0
 0:02.75 │   │   ├── mozwer_s 0.1.0
 0:02.75 │   │   ├── jsrust 0.1.0
 0:02.75 │   │   ├── ipcclientcerts-static 0.1.0
 0:02.75 │   │   ├── http3server 0.1.1
 0:02.75 │   │   ├── gkrust-gtest 0.1.0
 0:02.75 │   │   ├── gkrust 0.1.0
 0:02.75 │   │   ├── geckodriver 0.34.0
 0:02.75 │   │   ├── crashreporter 1.0.0
 0:02.75 │   │   └── builtins-static 0.1.0
 0:02.75 │   ├── glean-core 60.0.0
 0:02.75 │   ├── geckodriver 0.34.0
 0:02.75 │   └── firefox-on-glean 0.1.0
 0:02.75 └── cert_storage 0.0.1
 0:02.75     └── gkrust-shared 0.1.0
 0:02.75 
 0:02.75 Crate:     mach
 0:02.75 Version:   0.3.2
 0:02.75 Warning:   unmaintained
 0:02.75 Title:     mach is unmaintained
 0:02.75 Date:      2020-07-14
 0:02.75 ID:        RUSTSEC-2020-0168
 0:02.75 URL:       https://rustsec.org/advisories/RUSTSEC-2020-0168
 0:02.75 Dependency tree:
 0:02.75 mach 0.3.2
 0:02.75 ├── cubeb-coreaudio 0.1.0
 0:02.75 │   └── gkrust-shared 0.1.0
 0:02.75 │       ├── gkrust-gtest 0.1.0
 0:02.75 │       └── gkrust 0.1.0
 0:02.75 └── audio_thread_priority 0.32.0
 0:02.75     ├── gkrust-shared 0.1.0
 0:02.75     ├── audioipc2-server 0.6.0
 0:02.75     │   └── gkrust-shared 0.1.0
 0:02.75     ├── audioipc2-client 0.6.0
 0:02.75     │   └── gkrust-shared 0.1.0
 0:02.75     └── audioipc2 0.6.0
 0:02.75         ├── audioipc2-server 0.6.0
 0:02.75         └── audioipc2-client 0.6.0
 0:02.75 
 0:02.75 Crate:     net2
 0:02.75 Version:   0.2.38
 0:02.75 Warning:   unmaintained
 0:02.75 Title:     `net2` crate has been deprecated; use `socket2` instead
 0:02.75 Date:      2020-05-01
 0:02.75 ID:        RUSTSEC-2020-0016
 0:02.75 URL:       https://rustsec.org/advisories/RUSTSEC-2020-0016
 0:02.75 Dependency tree:
 0:02.75 net2 0.2.38
 0:02.75 └── mio 0.6.23
 0:02.75     ├── mio-extras 2.0.6
 0:02.75     │   └── http3server 0.1.1
 0:02.75     └── http3server 0.1.1
 0:02.75 
 0:02.75 Crate:     safemem
 0:02.75 Version:   0.3.3
 0:02.75 Warning:   unmaintained
 0:02.75 Title:     safemem is unmaintained
 0:02.75 Date:      2023-02-14
 0:02.75 ID:        RUSTSEC-2023-0081
 0:02.75 URL:       https://rustsec.org/advisories/RUSTSEC-2023-0081
 0:02.75 Dependency tree:
 0:02.75 safemem 0.3.3
 0:02.75 └── line-wrap 0.1.1
 0:02.75     └── plist 1.3.1
 0:02.75         └── mozrunner 0.15.2
 0:02.75             └── geckodriver 0.34.0
 0:02.75 
 0:02.75 Crate:     serde_cbor
 0:02.75 Version:   0.11.2
 0:02.75 Warning:   unmaintained
 0:02.75 Title:     serde_cbor is unmaintained
 0:02.75 Date:      2021-08-15
 0:02.75 ID:        RUSTSEC-2021-0127
 0:02.75 URL:       https://rustsec.org/advisories/RUSTSEC-2021-0127
 0:02.75 Dependency tree:
 0:02.75 serde_cbor 0.11.2
 0:02.75 ├── authrs_bridge 0.1.0
 0:02.75 │   └── gkrust-shared 0.1.0
 0:02.75 │       ├── gkrust-gtest 0.1.0
 0:02.75 │       └── gkrust 0.1.0
 0:02.75 └── authenticator 0.4.0-alpha.24
 0:02.75     └── authrs_bridge 0.1.0
 0:02.75 
 0:02.75 Crate:     yaml-rust
 0:02.75 Version:   0.4.5
 0:02.75 Warning:   unmaintained
 0:02.75 Title:     yaml-rust is unmaintained.
 0:02.75 Date:      2024-03-20
 0:02.75 ID:        RUSTSEC-2024-0320
 0:02.75 URL:       https://rustsec.org/advisories/RUSTSEC-2024-0320
 0:02.75 Dependency tree:
 0:02.75 yaml-rust 0.4.5
 0:02.75 ├── serde_yaml 0.8.26
 0:02.75 │   └── geckodriver 0.34.0
 0:02.75 └── crashreporter 1.0.0
 0:02.75 
 0:02.75 Crate:     crossbeam-channel
 0:02.75 Version:   0.5.6
 0:02.75 Warning:   yanked
 0:02.75 Dependency tree:
 0:02.75 crossbeam-channel 0.5.6
 0:02.75 ├── webrender_api 0.62.0
 0:02.75 │   ├── wr_glyph_rasterizer 0.1.0
 0:02.75 │   │   └── webrender 0.62.0
 0:02.75 │   │       └── webrender_bindings 0.1.0
 0:02.75 │   │           └── gkrust-shared 0.1.0
 0:02.75 │   │               ├── gkrust-gtest 0.1.0
 0:02.75 │   │               └── gkrust 0.1.0
 0:02.75 │   └── webrender 0.62.0
 0:02.75 └── glean-core 60.0.0
 0:02.75     └── glean 60.0.0
 0:02.75         ├── wr_glyph_rasterizer 0.1.0
 0:02.75         ├── webrender 0.62.0
 0:02.75         ├── fog_control 0.1.0
 0:02.75         │   └── gkrust-shared 0.1.0
 0:02.75         └── firefox-on-glean 0.1.0
 0:02.75             ├── wr_glyph_rasterizer 0.1.0
 0:02.75             ├── webrender 0.62.0
 0:02.75             ├── jog 0.1.0
 0:02.75             │   ├── gkrust-shared 0.1.0
 0:02.75             │   └── fog-gtest 0.1.0
 0:02.75             │       └── gkrust-gtest 0.1.0
 0:02.75             ├── fog_control 0.1.0
 0:02.75             ├── fog-gtest 0.1.0
 0:02.75             └── data_storage 0.0.1
 0:02.75                 └── gkrust-shared 0.1.0
 0:02.75 
 0:02.75 Crate:     self_cell
 0:02.75 Version:   0.10.2
 0:02.75 Warning:   yanked
 0:02.75 
 0:02.75 error: 8 vulnerabilities found!
 0:02.75 warning: 7 allowed warnings found

That's issues in

Component: Audio/Video: Recording → General
Product: Core → Firefox Build System
  • chrono: looks like a dos to me
  • h2 - DOS
  • owning_ref - see 1894756
  • remove_dir_all - Should probably fix this
  • self_cell - should probably fix this, but unlikely to be a problem
  • shlex - should probably fix this, but unlikely to be a problem
  • time - looks like a dos to me
  • mach - should consider migrating?
  • net2 - looks like mio uses this and we'd need to upgrade or resolve that situation
  • safemem - looks like we can eliminate this dependency with a few different built-in functions now
  • serde-cbor - used in webauthn/authrs_bridge and has been audited, but this either is exposed to attacker input or eventually will be I imagine, so itd be good to get to a maintained version
  • yaml-rust - looks like its used by rust/serde_yaml/ - it's been audited by someone whose audit we pulled in.
  • crossbeam-channel - a couple years out of date on this, although no known vulns

Can we run cargo audit in the build system?

(In reply to Tom Ritter [:tjr] from comment #2)

Can we run cargo audit in the build system?

You can run mach cargo audit

(In reply to Tom Ritter [:tjr] from comment #1)

  • chrono: looks like a dos to me

We have tons of other localtime_r uses. Fixing chrono is not going to more the needle one bit. OTOH, IIRC, upgrading chrono causes problems, which is essentially why it hasn't been updated.

  • h2 - DOS
  • owning_ref - see 1894756
  • remove_dir_all - Should probably fix this
  • self_cell - should probably fix this, but unlikely to be a problem
  • shlex - should probably fix this, but unlikely to be a problem
  • time - looks like a dos to me
  • mach - should consider migrating?
  • net2 - looks like mio uses this and we'd need to upgrade or resolve that situation

bug 1825468

  • safemem - looks like we can eliminate this dependency with a few different built-in functions now
  • serde-cbor - used in webauthn/authrs_bridge and has been audited, but this either is exposed to attacker input or eventually will be I imagine, so itd be good to get to a maintained version
  • yaml-rust - looks like its used by rust/serde_yaml/ - it's been audited by someone whose audit we pulled in.
  • crossbeam-channel - a couple years out of date on this, although no known vulns

It's kind of sad that "unmaintained" is a security issue for RUSTSEC...

Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.