Crate depends on a vulnerable version of quick-xml.
Categories
(Testing :: Mozbase Rust, task)
Tracking
(firefox152 fixed, firefox153 fixed, firefox154 fixed)
People
(Reporter: Sylvestre, Assigned: Sylvestre)
References
Details
Attachments
(3 files, 1 obsolete file)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-release+
|
Details | Review |
The cargo-audit lint fails because Cargo.lock pins quick-xml 0.37.5, flagged by two RustSec advisories:
- RUSTSEC-2026-0194 - quadratic runtime when checking a start tag for duplicate attribute names (DoS).
- RUSTSEC-2026-0195 - unbounded namespace-declaration allocation in
NsReader(memory-exhaustion DoS).
Both are fixed in quick-xml >= 0.41.0. quick-xml is pulled in transitively via mozrunner -> plist. The latest plist (1.9.0) still depends on quick-xml 0.39.x, so we cannot upgrade past the vulnerable range yet.
In the meantime, add an exclude-error entry in tools/lint/cargo-audit.yml to keep CI green, mirroring the existing time / self_cell exclusions. Revisit once plist upstream bumps to quick-xml >= 0.41.0.
Comment 1•12 days ago
|
||
https://github.com/ebarnard/rust-plist/pull/191 handles the version bump for quick-xml in plist. Lets hope they are fast to solve it. Would be good to have a fix as well for the upcoming geckodriver 0.37.1 bugfix release.
| Assignee | ||
Comment 2•12 days ago
|
||
Updated•12 days ago
|
Comment 4•12 days ago
|
||
Bug 2052142 will be used for the actual version bump.
Comment 5•12 days ago
|
||
| bugherder | ||
Comment 6•11 days ago
|
||
can this eventually get backported to beta ? apparently it's blocking other backports like https://phabricator.services.mozilla.com/D310041#10764659 ...
| Assignee | ||
Comment 7•11 days ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D310042
Updated•11 days ago
|
| Assignee | ||
Comment 8•11 days ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D310042
Updated•11 days ago
|
Comment 9•11 days ago
|
||
firefox-beta Uplift Approval Request
- User impact if declined/Reason for urgency: Just ignoring/silent warning in the CI.
doesn't go into our product - Code covered by automated testing?: yes
- Fix verified in Nightly?: yes
- Needs manual QE testing?: no
- Steps to reproduce for manual QE testing:
- Risk associated with taking this patch: low
- Explanation of risk level: just ignore a warning
- String changes made/needed?: no
- Is Android affected?: no
Updated•11 days ago
|
Comment 10•11 days ago
|
||
firefox-release Uplift Approval Request
- User impact if declined/Reason for urgency: Just ignoring/silent warning in the CI.
doesn't go into our product - Code covered by automated testing?: yes
- Fix verified in Nightly?: yes
- Needs manual QE testing?: no
- Steps to reproduce for manual QE testing:
- Risk associated with taking this patch: low
- Explanation of risk level: just ignore a warning
- String changes made/needed?: no
- Is Android affected?: no
| Assignee | ||
Comment 11•11 days ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D310042
Updated•11 days ago
|
Updated•11 days ago
|
Comment 12•11 days ago
|
||
| uplift | ||
Updated•11 days ago
|
Updated•11 days ago
|
Comment 13•11 days ago
|
||
| uplift | ||
Description
•