1976023 - Perma /builds/worker/checkouts/gecko/Cargo.lock:-1:-1 | Crate depends on a vulnerable version of remove_dir_all. | single tracking bug

Reporter

Description

•

8 months ago

treeherder

Filed by: amarc [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=516687631&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/A5OZB4KfTWqVSMQIrBCyVA/runs/0/artifacts/public/logs/live_backing.log

[vcs 2025-07-07T15:15:57.454+00:00] updating [================================================> ] 386463/387852 01s
[vcs 2025-07-07T15:15:59.654+00:00]                                                                                 
[vcs 2025-07-07T15:15:59.654+00:00] 387852 files updated, 0 files merged, 0 files removed, 0 files unresolved
[vcs 2025-07-07T15:15:59.816+00:00] updated to cf151aca41a385be7601f10297cbb36da1bc9f56
[vcs 2025-07-07T15:15:59.817+00:00] PERFHERDER_DATA: {"framework": {"name": "vcs"}, "suites": [{"extraOptions": ["projects/887720501152/machineTypes/c2-standard-4"], "hgVersion": "6.8.1", "lowerIsBetter": true, "name": "clone", "serverUrl": "hg.mozilla.org", "shouldAlert": false, "subtests": [], "value": 139.8061544895172}, {"extraOptions": ["projects/887720501152/machineTypes/c2-standard-4"], "hgVersion": "6.8.1", "lowerIsBetter": true, "name": "update", "serverUrl": "hg.mozilla.org", "shouldAlert": false, "subtests": [], "value": 102.51660084724426}, {"extraOptions": ["projects/887720501152/machineTypes/c2-standard-4"], "hgVersion": "6.8.1", "lowerIsBetter": true, "name": "overall", "serverUrl": "hg.mozilla.org", "shouldAlert": false, "subtests": [], "value": 243.16942954063416}, {"extraOptions": ["projects/887720501152/machineTypes/c2-standard-4"], "hgVersion": "6.8.1", "lowerIsBetter": true, "name": "overall_pull", "serverUrl": "hg.mozilla.org", "shouldAlert": false, "subtests": [], "value": 243.16942954063416}, {"extraOptions": ["projects/887720501152/machineTypes/c2-standard-4"], "hgVersion": "6.8.1", "lowerIsBetter": true, "name": "overall_pull_fullcheckout", "serverUrl": "hg.mozilla.org", "shouldAlert": false, "subtests": [], "value": 243.16942954063416}, {"extraOptions": ["projects/887720501152/machineTypes/c2-standard-4"], "hgVersion": "6.8.1", "lowerIsBetter": true, "name": "overall_pull_emptywdir", "serverUrl": "hg.mozilla.org", "shouldAlert": false, "subtests": [], "value": 243.16942954063416}]}
[vcs 2025-07-07T15:16:00.296+00:00] TinderboxPrint:<a href=https://hg.mozilla.org/integration/autoland/rev/cf151aca41a385be7601f10297cbb36da1bc9f56 title='Built from autoland revision cf151aca41a385be7601f10297cbb36da1bc9f56'>cf151aca41a385be7601f10297cbb36da1bc9f56</a>
[setup 2025-07-07T15:16:00.296+00:00] GECKO_PATH is /builds/worker/checkouts/gecko
[setup 2025-07-07T15:16:00.296+00:00] MOZ_FETCHES_DIR is /builds/worker/fetches
[setup 2025-07-07T15:16:00.296+00:00] MOZ_PYTHON_HOME is /builds/worker/fetches/python
[setup 2025-07-07T15:16:00.296+00:00] PIP_CACHE_DIR is /builds/worker/.task-cache/pip
[setup 2025-07-07T15:16:00.296+00:00] UV_CACHE_DIR is /builds/worker/.task-cache/uv
[setup 2025-07-07T15:16:00.296+00:00] MOZ_UV_HOME is /builds/worker/fetches/uv
[fetches 2025-07-07T15:16:00.296+00:00] fetching artifacts
[fetches 2025-07-07T15:16:00.298+00:00] executing ['/usr/bin/python3', '-u', '/builds/worker/checkouts/gecko/third_party/python/taskcluster_taskgraph/taskgraph/run-task/fetch-content', 'task-artifacts']
[fetches 2025-07-07T15:16:00.390+00:00] attempt 1/5
[fetches 2025-07-07T15:16:00.390+00:00] Downloading https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/I55I-NCUSAawY3CYWZWhcg/artifacts/public/build/python.tar.zst to /builds/worker/fetches/python.tar.zst
[fetches 2025-07-07T15:16:00.391+00:00] attempt 1/5Downloading https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/I55I-NCUSAawY3CYWZWhcg/artifacts/public/build/python.tar.zst
[fetches 2025-07-07T15:16:00.392+00:00] 
[fetches 2025-07-07T15:16:00.392+00:00] attempt 1/5
[fetches 2025-07-07T15:16:00.392+00:00] Downloading https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/JafeM47JSrC4H1D-ilh30Q/artifacts/public/build/uv.tar.zst to /builds/worker/fetches/uv.tar.zst
[fetches 2025-07-07T15:16:00.392+00:00] Downloading https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/eaSrklt9TpW7_F9hP6k7yw/artifacts/public/build/rustc.tar.zst to /builds/worker/fetches/rustc.tar.zst
[fetches 2025-07-07T15:16:00.392+00:00] Downloading https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/JafeM47JSrC4H1D-ilh30Q/artifacts/public/build/uv.tar.zst
[fetches 2025-07-07T15:16:00.392+00:00] Downloading https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/eaSrklt9TpW7_F9hP6k7yw/artifacts/public/build/rustc.tar.zst
[fetches 2025-07-07T15:16:00.750+00:00] https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/JafeM47JSrC4H1D-ilh30Q/artifacts/public/build/uv.tar.zst resolved to 15882482 bytes with sha256 4891428a7459911551435f613aa0778e25bc0ef24a4f2f77d4db56de8c1fb80d in 0.358s
[fetches 2025-07-07T15:16:00.750+00:00] Verified size of https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/JafeM47JSrC4H1D-ilh30Q/artifacts/public/build/uv.tar.zst
[fetches 2025-07-07T15:16:00.751+00:00] Extracting /builds/worker/fetches/uv.tar.zst to /builds/worker/fetches
[fetches 2025-07-07T15:16:00.887+00:00] /builds/worker/fetches/uv.tar.zst extracted in 0.136s
[fetches 2025-07-07T15:16:00.887+00:00] Removing /builds/worker/fetches/uv.tar.zst
[fetches 2025-07-07T15:16:01.166+00:00] https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/I55I-NCUSAawY3CYWZWhcg/artifacts/public/build/python.tar.zst resolved to 110042531 bytes with sha256 34dd9f71ae27d9756d73f5966fc8230434e8e2ca9ab4851f84abf877f92fdfa1 in 0.775s
[fetches 2025-07-07T15:16:01.166+00:00] Verified size of https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/I55I-NCUSAawY3CYWZWhcg/artifacts/public/build/python.tar.zst
[fetches 2025-07-07T15:16:01.167+00:00] Extracting /builds/worker/fetches/python.tar.zst to /builds/worker/fetches
[fetches 2025-07-07T15:16:02.256+00:00] https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/eaSrklt9TpW7_F9hP6k7yw/artifacts/public/build/rustc.tar.zst resolved to 319091591 bytes with sha256 f1945ff92b740a93c8f81c0819c058c99ea2426e629fa435a785107cf16257a9 in 1.864s
[fetches 2025-07-07T15:16:02.256+00:00] Verified size of https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/eaSrklt9TpW7_F9hP6k7yw/artifacts/public/build/rustc.tar.zst
[fetches 2025-07-07T15:16:02.256+00:00] Extracting /builds/worker/fetches/rustc.tar.zst to /builds/worker/fetches
[fetches 2025-07-07T15:16:02.377+00:00] /builds/worker/fetches/python.tar.zst extracted in 1.210s
[fetches 2025-07-07T15:16:02.377+00:00] Removing /builds/worker/fetches/python.tar.zst
[fetches 2025-07-07T15:16:04.728+00:00] /builds/worker/fetches/rustc.tar.zst extracted in 2.471s
[fetches 2025-07-07T15:16:04.728+00:00] Removing /builds/worker/fetches/rustc.tar.zst
[fetches 2025-07-07T15:16:04.767+00:00] PERFHERDER_DATA: {"framework": {"name": "build_metrics"}, "suites": [{"name": "fetch_content", "value": 4.380070025999885, "lowerIsBetter": true, "shouldAlert": false, "subtests": []}]}
[fetches 2025-07-07T15:16:04.784+00:00] finished fetching artifacts
[setup 2025-07-07T15:16:04.784+00:00] Setting up local python environment
[setup 2025-07-07T15:16:04.784+00:00] updated PATH with python artifact: /builds/worker/fetches/python/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[setup 2025-07-07T15:16:04.784+00:00] Adding uv to PATH
[setup 2025-07-07T15:16:04.784+00:00] updated PATH with uv artifact: /builds/worker/fetches/uv:/builds/worker/fetches/python/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[task 2025-07-07T15:16:04.784+00:00] executing ['bash', '-cx', 'PATH=$MOZ_FETCHES_DIR/rustc/bin/:/builds/worker/.cargo/bin/:$PATH ./mach lint -v --warnings=soft -l cargo-audit -f treeherder -f json:/builds/worker/mozlint.json .']in /builds/worker/checkouts/gecko
[task 2025-07-07T15:16:04.791+00:00] bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
[task 2025-07-07T15:16:04.791+00:00] + PATH=/builds/worker/fetches/rustc/bin/:/builds/worker/.cargo/bin/:/builds/worker/fetches/uv:/builds/worker/fetches/python/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[task 2025-07-07T15:16:04.791+00:00] + ./mach lint -v --warnings=soft -l cargo-audit -f treeherder -f json:/builds/worker/mozlint.json .
[task 2025-07-07T15:19:23.168+00:00] 15:19:23.167 mozlint (22) | setup for cargo-audit finished in 195.46 seconds
[task 2025-07-07T15:19:23.171+00:00] Creating default state directory: /builds/worker/.mozbuild
[task 2025-07-07T15:19:23.171+00:00] Creating local state directory: /builds/worker/.mozbuild/srcdirs/gecko-8a5b87fe5d69
[task 2025-07-07T15:19:23.171+00:00] Creating the 'lint' site at /builds/worker/.mozbuild/srcdirs/gecko-8a5b87fe5d69/_virtualenvs/lint
[task 2025-07-07T15:19:24.059+00:00] 15:19:24.58 cargo-audit (5355) | Finished in 0.88 seconds
[task 2025-07-07T15:19:24.452+00:00] 15:19:24.452 cargo-audit (5357) | Finished in 1.27 seconds
[task 2025-07-07T15:19:25.580+00:00] 15:19:25.580 cargo-audit (5356) | Finished in 2.40 seconds
[task 2025-07-07T15:19:27.475+00:00] 15:19:27.475 cargo-audit (5358) | Passing the following paths:
[task 2025-07-07T15:19:27.475+00:00] /builds/worker/checkouts/gecko/Cargo.lock
[task 2025-07-07T15:19:29.685+00:00] 15:19:29.685 cargo-audit (5358) | Finished in 6.50 seconds
[task 2025-07-07T15:19:29.708+00:00] TEST-UNEXPECTED-ERROR | /builds/worker/checkouts/gecko/Cargo.lock:-1:-1 | Crate depends on a vulnerable version of remove_dir_all.
[task 2025-07-07T15:19:29.708+00:00] 
[task 2025-07-07T15:19:29.708+00:00] Advisory:
[task 2025-07-07T15:19:29.708+00:00] Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
[task 2025-07-07T15:19:29.708+00:00] Package: remove_dir_all
[task 2025-07-07T15:19:29.708+00:00] ID: RUSTSEC-2023-0018
[task 2025-07-07T15:19:29.708+00:00] Report date: 2023-02-24
[task 2025-07-07T15:19:29.708+00:00] The remove_dir_all crate is a Rust library that offers additional features over the Rust
[task 2025-07-07T15:19:29.708+00:00] standard library fs::remove_dir_all function.
[task 2025-07-07T15:19:29.708+00:00] 
[task 2025-07-07T15:19:29.708+00:00] It was possible to trick a privileged process doing a recursive delete in an
[task 2025-07-07T15:19:29.708+00:00] attacker controlled directory into deleting privileged files, on all operating systems.
[task 2025-07-07T15:19:29.708+00:00] 
[task 2025-07-07T15:19:29.708+00:00] For instance, consider deleting a tree called 'etc' in a parent directory
[task 2025-07-07T15:19:29.708+00:00] called 'p'. Between calling `remove_dir_all("a")` and remove_dir_all("a")
[task 2025-07-07T15:19:29.708+00:00] actually starting its work, the attacker can move 'p' to 'p-prime', and
[task 2025-07-07T15:19:29.708+00:00] replace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'
[task 2025-07-07T15:19:29.708+00:00] which is actually /etc, and now your system is broken. There are some
[task 2025-07-07T15:19:29.708+00:00] mitigations for this exact scenario, such as CWD relative file lookup, but
[task 2025-07-07T15:19:29.708+00:00] they are not guaranteed - any code using absolute paths will not have that
[task 2025-07-07T15:19:29.708+00:00] protection in place.
[task 2025-07-07T15:19:29.708+00:00] 
[task 2025-07-07T15:19:29.708+00:00] The same attack could be performed at any point in the directory tree being
[task 2025-07-07T15:19:29.708+00:00] deleted: if 'a' contains a child directory called 'etc', attacking the
[task 2025-07-07T15:19:29.708+00:00] deletion by replacing 'a' with a link is possible.
[task 2025-07-07T15:19:29.708+00:00] 
[task 2025-07-07T15:19:29.708+00:00] The new code in this release mitigates the attack within the directory tree
[task 2025-07-07T15:19:29.708+00:00] being deleted by using file-handle relative operations: to open 'a/etc', the
[task 2025-07-07T15:19:29.708+00:00] path 'etc' relative to 'a' is opened, where 'a' is represented by a file
[task 2025-07-07T15:19:29.708+00:00] descriptor (Unix) or handle (Windows). With the exception of the entry points
[task 2025-07-07T15:19:29.708+00:00] into the directory deletion logic, this is robust against manipulation of the
[task 2025-07-07T15:19:29.708+00:00] directory hierarchy, and remove_dir_all will only delete files and directories
[task 2025-07-07T15:19:29.708+00:00] contained in the tree it is deleting.
[task 2025-07-07T15:19:29.708+00:00] 
[task 2025-07-07T15:19:29.708+00:00] The entry path however is a challenge - as described above, there are some
[task 2025-07-07T15:19:29.708+00:00] potential mitigations, but since using them must be done by the calling code,
[task 2025-07-07T15:19:29.708+00:00] it is hard to be confident about the security properties of the path based
[task 2025-07-07T15:19:29.708+00:00] interface.
[task 2025-07-07T15:19:29.708+00:00] 
[task 2025-07-07T15:19:29.708+00:00] The new extension trait `RemoveDir` provides an interface where it is much
[task 2025-07-07T15:19:29.708+00:00] harder to get it wrong.
[task 2025-07-07T15:19:29.708+00:00] 
[task 2025-07-07T15:19:29.708+00:00] `somedir.remove_dir_contents("name-of-child")`.
[task 2025-07-07T15:19:29.708+00:00] 
[task 2025-07-07T15:19:29.708+00:00] Callers can then make their own security evaluation about how to securely get
[task 2025-07-07T15:19:29.708+00:00] a directory handle. That is still not particularly obvious, and we're going to
[task 2025-07-07T15:19:29.708+00:00] follow up with a helper of some sort (probably in the `fs_at` crate). Once
[task 2025-07-07T15:19:29.708+00:00] that is available, the path based entry points will get deprecated.
[task 2025-07-07T15:19:29.708+00:00] 
[task 2025-07-07T15:19:29.708+00:00] In the interim, processes that might run with elevated privileges should
[task 2025-07-07T15:19:29.708+00:00] figure out how to securely identify the directory they are going to delete, to
[task 2025-07-07T15:19:29.708+00:00] avoid the initial race. Pragmatically, other processes should be fine with the
[task 2025-07-07T15:19:29.708+00:00] path based entry points : this is the same interface `std::fs::remove_dir_all`
[task 2025-07-07T15:19:29.708+00:00] offers, and an unprivileged process running in an attacker controlled
[task 2025-07-07T15:19:29.708+00:00] directory can't do anything that the attacker can't already do.
[task 2025-07-07T15:19:29.708+00:00] URL: https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead
[task 2025-07-07T15:19:29.708+00:00] Patched versions: [
[task 2025-07-07T15:19:29.708+00:00]   ">=0.8.0"
[task 2025-07-07T15:19:29.708+00:00] ]
[task 2025-07-07T15:19:29.708+00:00] Affected functions: {
[task 2025-07-07T15:19:29.708+00:00]   "remove_dir_all::ensure_empty_dir": [
[task 2025-07-07T15:19:29.709+00:00]     "<0.8.0"
[task 2025-07-07T15:19:29.709+00:00]   ],
[task 2025-07-07T15:19:29.709+00:00]   "remove_dir_all::remove_dir_all": [
[task 2025-07-07T15:19:29.709+00:00]     "<0.8.0"
[task 2025-07-07T15:19:29.709+00:00]   ],
[task 2025-07-07T15:19:29.709+00:00]   "remove_dir_all::remove_dir_contents": [
[task 2025-07-07T15:19:29.709+00:00]     "<0.8.0"
[task 2025-07-07T15:19:29.709+00:00]   ]
[task 2025-07-07T15:19:29.709+00:00] }
[task 2025-07-07T15:19:29.709+00:00] Advisory metadata: {
[task 2025-07-07T15:19:29.709+00:00]   "aliases": [
[task 2025-07-07T15:19:29.709+00:00]     "GHSA-mc8h-8q98-g5hr"
[task 2025-07-07T15:19:29.709+00:00]   ],
[task 2025-07-07T15:19:29.709+00:00]   "related": [],
[task 2025-07-07T15:19:29.709+00:00]   "collection": "crates",
[task 2025-07-07T15:19:29.709+00:00]   "categories": [],
[task 2025-07-07T15:19:29.709+00:00]   "keywords": [
[task 2025-07-07T15:19:29.709+00:00]     "TOCTOU"
[task 2025-07-07T15:19:29.709+00:00]   ],
[task 2025-07-07T15:19:29.709+00:00]   "informational": null,
[task 2025-07-07T15:19:29.709+00:00]   "references": [
[task 2025-07-07T15:19:29.709+00:00]     "https://github.com/advisories/GHSA-mc8h-8q98-g5hr"
[task 2025-07-07T15:19:29.709+00:00]   ],
[task 2025-07-07T15:19:29.709+00:00]   "source": null,
[task 2025-07-07T15:19:29.709+00:00]   "withdrawn": null,
[task 2025-07-07T15:19:29.709+00:00]   "license": "CC0-1.0"
[task 2025-07-07T15:19:29.709+00:00] }
[task 2025-07-07T15:19:29.709+00:00] 
[task 2025-07-07T15:19:29.709+00:00] Package info: {
[task 2025-07-07T15:19:29.709+00:00]   "name": "remove_dir_all",
[task 2025-07-07T15:19:29.709+00:00]   "version": "0.5.3",
[task 2025-07-07T15:19:29.709+00:00]   "source": "registry+https://github.com/rust-lang/crates.io-index",
[task 2025-07-07T15:19:29.709+00:00]   "checksum": "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7",
[task 2025-07-07T15:19:29.709+00:00]   "dependencies": [
[task 2025-07-07T15:19:29.709+00:00]     {
[task 2025-07-07T15:19:29.709+00:00]       "name": "winapi",
[task 2025-07-07T15:19:29.709+00:00]       "version": "0.3.9",
[task 2025-07-07T15:19:29.709+00:00]       "source": "registry+https://github.com/rust-lang/crates.io-index"
[task 2025-07-07T15:19:29.709+00:00]     }
[task 2025-07-07T15:19:29.709+00:00]   ],
[task 2025-07-07T15:19:29.709+00:00]   "replace": null
[task 2025-07-07T15:19:29.709+00:00] } (cargo-audit)
[task 2025-07-07T15:19:29.709+00:00] TEST-UNEXPECTED-WARNING | /builds/worker/checkouts/gecko/Cargo.lock:-1:-1 | Crate depends on a unmaintained version of mach.
[task 2025-07-07T15:19:29.709+00:00] 
[task 2025-07-07T15:19:29.709+00:00] Advisory:
[task 2025-07-07T15:19:29.709+00:00] mach is unmaintained
[task 2025-07-07T15:19:29.709+00:00] Package: mach
[task 2025-07-07T15:19:29.709+00:00] ID: RUSTSEC-2020-0168
[task 2025-07-07T15:19:29.709+00:00] Report date: 2020-07-14
[task 2025-07-07T15:19:29.709+00:00] Last release was almost 4 years ago.
[task 2025-07-07T15:19:29.709+00:00] 
[task 2025-07-07T15:19:29.709+00:00] Maintainer(s) seem to be completely unreachable. 
[task 2025-07-07T15:19:29.709+00:00] 
[task 2025-07-07T15:19:29.709+00:00] ## Possible Alternative(s)
[task 2025-07-07T15:19:29.709+00:00] 
[task 2025-07-07T15:19:29.709+00:00] These may or may not be suitable alternatives and have not been vetted in any way;
[task 2025-07-07T15:19:29.709+00:00] - [mach2](https://crates.io/crates/mach2) - direct fork
[task 2025-07-07T15:19:29.709+00:00] URL: https://github.com/fitzgen/mach/issues/63
[task 2025-07-07T15:19:29.709+00:00] Advisory metadata: {
[task 2025-07-07T15:19:29.709+00:00]   "aliases": [],
[task 2025-07-07T15:19:29.709+00:00]   "related": [],
[task 2025-07-07T15:19:29.710+00:00]   "collection": "crates",
[task 2025-07-07T15:19:29.710+00:00]   "categories": [],
[task 2025-07-07T15:19:29.710+00:00]   "keywords": [],
[task 2025-07-07T15:19:29.710+00:00]   "informational": "unmaintained",
[task 2025-07-07T15:19:29.710+00:00]   "references": [],
[task 2025-07-07T15:19:29.710+00:00]   "source": null,
[task 2025-07-07T15:19:29.710+00:00]   "withdrawn": null,
[task 2025-07-07T15:19:29.710+00:00]   "license": "CC0-1.0"
[task 2025-07-07T15:19:29.710+00:00] }
[task 2025-07-07T15:19:29.710+00:00] 
[task 2025-07-07T15:19:29.710+00:00] Package info: {
[task 2025-07-07T15:19:29.710+00:00]   "name": "mach",
[task 2025-07-07T15:19:29.710+00:00]   "version": "0.3.2",
[task 2025-07-07T15:19:29.710+00:00]   "source": "registry+https://github.com/rust-lang/crates.io-index",
[task 2025-07-07T15:19:29.710+00:00]   "checksum": "b823e83b2affd8f40a9ee8c29dbc56404c1e34cd2710921f2801e2cf29527afa",
[task 2025-07-07T15:19:29.710+00:00]   "dependencies": [
[task 2025-07-07T15:19:29.710+00:00]     {
[task 2025-07-07T15:19:29.710+00:00]       "name": "libc",
[task 2025-07-07T15:19:29.710+00:00]       "version": "0.2.171",
[task 2025-07-07T15:19:29.710+00:00]       "source": "registry+https://github.com/rust-lang/crates.io-index"
[task 2025-07-07T15:19:29.710+00:00]     }
[task 2025-07-07T15:19:29.710+00:00]   ],
[task 2025-07-07T15:19:29.710+00:00]   "replace": null
[task 2025-07-07T15:19:29.710+00:00] } (cargo-audit)
[task 2025-07-07T15:19:29.710+00:00] TEST-UNEXPECTED-WARNING | /builds/worker/checkouts/gecko/Cargo.lock:-1:-1 | Crate depends on a unmaintained version of paste.
[task 2025-07-07T15:19:29.710+00:00] 
[task 2025-07-07T15:19:29.710+00:00] Advisory:
[task 2025-07-07T15:19:29.710+00:00] paste - no longer maintained
[task 2025-07-07T15:19:29.710+00:00] Package: paste
[task 2025-07-07T15:19:29.710+00:00] ID: RUSTSEC-2024-0436
[task 2025-07-07T15:19:29.710+00:00] Report date: 2024-10-07
[task 2025-07-07T15:19:29.710+00:00] The creator of the crate `paste` has stated in the [`README.md`](https://github.com/dtolnay/paste/blob/master/README.md) 
[task 2025-07-07T15:19:29.710+00:00] that this project is not longer maintained as well as archived the repository
[task 2025-07-07T15:19:29.710+00:00] URL: https://github.com/dtolnay/paste
[task 2025-07-07T15:19:29.710+00:00] Advisory metadata: {
[task 2025-07-07T15:19:29.710+00:00]   "aliases": [],
[task 2025-07-07T15:19:29.710+00:00]   "related": [],
[task 2025-07-07T15:19:29.710+00:00]   "collection": "crates",
[task 2025-07-07T15:19:29.710+00:00]   "categories": [],
[task 2025-07-07T15:19:29.710+00:00]   "keywords": [],
[task 2025-07-07T15:19:29.710+00:00]   "informational": "unmaintained",
[task 2025-07-07T15:19:29.710+00:00]   "references": [],
[task 2025-07-07T15:19:29.710+00:00]   "source": null,
[task 2025-07-07T15:19:29.710+00:00]   "withdrawn": null,
[task 2025-07-07T15:19:29.710+00:00]   "license": "CC0-1.0"
[task 2025-07-07T15:19:29.710+00:00] }
[task 2025-07-07T15:19:29.710+00:00] 
[task 2025-07-07T15:19:29.710+00:00] Package info: {
[task 2025-07-07T15:19:29.710+00:00]   "name": "paste",
[task 2025-07-07T15:19:29.710+00:00]   "version": "1.0.11",
[task 2025-07-07T15:19:29.710+00:00]   "source": "registry+https://github.com/rust-lang/crates.io-index",
[task 2025-07-07T15:19:29.710+00:00]   "checksum": "d01a5bd0424d00070b0098dd17ebca6f961a959dead1dbcbbbc1d1cd8d3deeba",
[task 2025-07-07T15:19:29.710+00:00]   "replace": null
[task 2025-07-07T15:19:29.710+00:00] } (cargo-audit)
[task 2025-07-07T15:19:29.710+00:00] TEST-UNEXPECTED-WARNING | /builds/worker/checkouts/gecko/Cargo.lock:-1:-1 | Crate depends on a unmaintained version of serde_cbor.
[task 2025-07-07T15:19:29.710+00:00] 
[task 2025-07-07T15:19:29.710+00:00] Advisory:
[task 2025-07-07T15:19:29.710+00:00] serde_cbor is unmaintained
[task 2025-07-07T15:19:29.710+00:00] Package: serde_cbor
[task 2025-07-07T15:19:29.710+00:00] ID: RUSTSEC-2021-0127
[task 2025-07-07T15:19:29.710+00:00] Report date: 2021-08-15
[task 2025-07-07T15:19:29.710+00:00] The `serde_cbor` crate is unmaintained. The author has archived the github repository.
[task 2025-07-07T15:19:29.710+00:00] 
[task 2025-07-07T15:19:29.710+00:00] Alternatives proposed by the author:
[task 2025-07-07T15:19:29.710+00:00] 
[task 2025-07-07T15:19:29.710+00:00]  * [`ciborium`](https://crates.io/crates/ciborium)
[task 2025-07-07T15:19:29.710+00:00]  * [`minicbor`](https://crates.io/crates/minicbor)
[task 2025-07-07T15:19:29.710+00:00] URL: https://github.com/pyfisch/cbor
[task 2025-07-07T15:19:29.710+00:00] Advisory metadata: {
[task 2025-07-07T15:19:29.710+00:00]   "aliases": [],
[task 2025-07-07T15:19:29.710+00:00]   "related": [],
[task 2025-07-07T15:19:29.710+00:00]   "collection": "crates",
[task 2025-07-07T15:19:29.710+00:00]   "categories": [],
[task 2025-07-07T15:19:29.710+00:00]   "keywords": [],
[task 2025-07-07T15:19:29.710+00:00]   "informational": "unmaintained",
[task 2025-07-07T15:19:29.710+00:00]   "references": [],
[task 2025-07-07T15:19:29.710+00:00]   "source": null,
[task 2025-07-07T15:19:29.710+00:00]   "withdrawn": null,
[task 2025-07-07T15:19:29.710+00:00]   "license": "CC0-1.0"
[task 2025-07-07T15:19:29.710+00:00] }
[task 2025-07-07T15:19:29.710+00:00] 
[task 2025-07-07T15:19:29.710+00:00] Package info: {
[task 2025-07-07T15:19:29.710+00:00]   "name": "serde_cbor",
[task 2025-07-07T15:19:29.710+00:00]   "version": "0.11.2",
[task 2025-07-07T15:19:29.710+00:00]   "source": "registry+https://github.com/rust-lang/crates.io-index",
[task 2025-07-07T15:19:29.710+00:00]   "checksum": "2bef2ebfde456fb76bbcf9f59315333decc4fda0b2b44b420243c11e0f5ec1f5",
[task 2025-07-07T15:19:29.710+00:00]   "dependencies": [
[task 2025-07-07T15:19:29.710+00:00]     {
[task 2025-07-07T15:19:29.710+00:00]       "name": "half",
[task 2025-07-07T15:19:29.710+00:00]       "version": "1.999.999",
[task 2025-07-07T15:19:29.710+00:00]       "source": null
[task 2025-07-07T15:19:29.710+00:00]     },
[task 2025-07-07T15:19:29.710+00:00]     {
[task 2025-07-07T15:19:29.710+00:00]       "name": "serde",
[task 2025-07-07T15:19:29.710+00:00]       "version": "1.0.219",
[task 2025-07-07T15:19:29.710+00:00]       "source": "registry+https://github.com/rust-lang/crates.io-index"
[task 2025-07-07T15:19:29.710+00:00]     }
[task 2025-07-07T15:19:29.710+00:00]   ],
[task 2025-07-07T15:19:29.710+00:00]   "replace": null
[task 2025-07-07T15:19:29.710+00:00] } (cargo-audit)
[taskcluster 2025-07-07T15:19:30.318Z]                        Exit Code: 1
[taskcluster 2025-07-07T15:19:30.318Z]                        User Time: 32.957ms
[taskcluster 2025-07-07T15:19:30.318Z]                      Kernel Time: 29.797ms
[taskcluster 2025-07-07T15:19:30.318Z]                        Wall Time: 7m36.306830066s
[taskcluster 2025-07-07T15:19:30.318Z]  Average Available System Memory: 13.80 GiB
[taskcluster 2025-07-07T15:19:30.318Z]       Average System Memory Used: 1.48 GiB
[taskcluster 2025-07-07T15:19:30.318Z]          Peak System Memory Used: 2.69 GiB
[taskcluster 2025-07-07T15:19:30.318Z]              Total System Memory: 15.62 GiB
[taskcluster 2025-07-07T15:19:30.318Z]                           Result: FAILED
[taskcluster 2025-07-07T15:19:30.321Z] === Task Finished ===
[taskcluster 2025-07-07T15:19:30.321Z] Task Duration: 7m36.309446172s
[taskcluster 2025-07-07T15:19:31.143Z] Uploading artifact public/code-review/mozlint.json from file /home/task_175190087801765/artifact0.json with content encoding "gzip", mime type "application/json" and expiry 2026-07-07T15:11:33.419Z
[taskcluster 2025-07-07T15:19:31.279Z] [mounts] Preserving cache: Moving "/home/task_175190087801765/cache0" to "/home/generic-worker/caches/axxJWvnbQXi2xG06-psuRA"
[taskcluster 2025-07-07T15:19:31.279Z] [mounts] Preserving cache: Moving "/home/task_175190087801765/cache1" to "/home/generic-worker/caches/dMVp2TkFRlCleV_li999nA"
[taskcluster 2025-07-07T15:19:31.279Z] [mounts] Preserving cache: Moving "/home/task_175190087801765/cache2" to "/home/generic-worker/caches/W4zJuN-nQKqEvzDrQFH2IA"
[taskcluster 2025-07-07T15:19:31.351Z] Uploading link artifact public/logs/live.log to artifact public/logs/live_backing.log with expiry 2026-07-07T15:11:33.419Z
[taskcluster:error] exit status 1

amarc

Updated

•

8 months ago

Flags: needinfo?(egubler)

Keywords: regression

Regressed by: 1973947

Erich Gubler [:ErichDonGubler] (he/him)

Assignee

Comment 1

•

8 months ago

Attached file Bug 1976023 - chore(cargo-audit): suppress `RUSTSEC-2023-0018` r=#supply-chain-reviewers! — Details

I noticed that this config. file isn't part of our mots.yaml. I've
filed a patch to add it to supply chain reviewers' rules with D???????.

Phabricator Automation

Updated

•

8 months ago

Assignee: nobody → egubler

Status: NEW → ASSIGNED

Erich Gubler [:ErichDonGubler] (he/him)

Assignee

Updated

•

8 months ago

Flags: needinfo?(egubler)

Keywords: intermittent-failure, regression → regression

Updated

•

8 months ago

Keywords: intermittent-failure

BugBot [:suhaib / :marco/ :calixte]

Comment 2

•

8 months ago

Set release status flags based on info from the regressing bug 1973947

status-firefox140: --- → affected

status-firefox141: --- → affected

status-firefox142: --- → affected

status-firefox-esr128: --- → unaffected

status-firefox-esr140: --- → affected

Pulsebot

Comment 3

•

8 months ago

Pushed by egubler@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/c46de612153d https://hg.mozilla.org/integration/autoland/rev/88e559d8460b chore(cargo-audit): suppress `RUSTSEC-2023-0018` r=supply-chain-reviewers

Serban Stanca [:SerbanS]

Comment 4

•

8 months ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/88e559d8460b

Status: ASSIGNED → RESOLVED

Closed: 8 months ago

status-firefox142: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → 142 Branch

BugBot [:suhaib / :marco/ :calixte]

Comment 5

•

8 months ago

The patch landed in nightly and beta is affected.
:ErichDonGubler, is this bug important enough to require an uplift?

If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
If no, please set status-firefox141 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(egubler)

Donal Meehan [:dmeehan]

Updated

•

8 months ago

status-firefox140: affected → wontfix

Erich Gubler [:ErichDonGubler] (he/him)

Assignee

Comment 6

•

8 months ago

I'm actually not sure if cargo-audit lint suppression is important to uplift. :nika or :dmeehan, do you know?

Flags: needinfo?(nika)

Flags: needinfo?(egubler)

Flags: needinfo?(dmeehan)

Donal Meehan [:dmeehan]

Comment 7

•

8 months ago

Doesn't look like the linter was triggered for those branches, so makes sense to wontfix and not uplift.

status-firefox141: affected → wontfix

status-firefox-esr140: affected → wontfix

Flags: needinfo?(dmeehan)

Erich Gubler [:ErichDonGubler] (he/him)

Assignee

Updated

•

8 months ago

Flags: needinfo?(nika)

Bugzilla

Perma /builds/worker/checkouts/gecko/Cargo.lock:-1:-1 | Crate depends on a vulnerable version of remove_dir_all. | single tracking bug

Categories

(Core :: Graphics: WebRender, defect, P5)

Tracking

()

People

(Reporter: intermittent-bug-filer, Assigned: ErichDonGubler)

References

(Regression)

Details

(Keywords: intermittent-failure, regression)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Updated

Updated

Updated

Comment 2

Comment 3

Comment 4

Comment 5

Updated

Comment 6

Comment 7

Updated

Attachment

General

Description

File Name

Content Type