Closed Bug 2052161 Opened 12 days ago Closed 12 days ago

Crate depends on a vulnerable version of quick-xml.

Categories

(Testing :: Mozbase Rust, task)

task

Tracking

(firefox152 fixed, firefox153 fixed, firefox154 fixed)

RESOLVED FIXED
154 Branch
Tracking Status
firefox152 --- fixed
firefox153 --- fixed
firefox154 --- fixed

People

(Reporter: Sylvestre, Assigned: Sylvestre)

References

Details

Attachments

(3 files, 1 obsolete file)

The cargo-audit lint fails because Cargo.lock pins quick-xml 0.37.5, flagged by two RustSec advisories:

  • RUSTSEC-2026-0194 - quadratic runtime when checking a start tag for duplicate attribute names (DoS).
  • RUSTSEC-2026-0195 - unbounded namespace-declaration allocation in NsReader (memory-exhaustion DoS).

Both are fixed in quick-xml >= 0.41.0. quick-xml is pulled in transitively via mozrunner -> plist. The latest plist (1.9.0) still depends on quick-xml 0.39.x, so we cannot upgrade past the vulnerable range yet.

In the meantime, add an exclude-error entry in tools/lint/cargo-audit.yml to keep CI green, mirroring the existing time / self_cell exclusions. Revisit once plist upstream bumps to quick-xml >= 0.41.0.

example:
https://treeherder.mozilla.org/jobs?repo=try&revision=f4b8f23719c64aa6a6859f65cee32bcb2c0521f5&selectedTaskRun=coSjXcS-Q4-HxBqxEHYdRw.0

https://github.com/ebarnard/rust-plist/pull/191 handles the version bump for quick-xml in plist. Lets hope they are fast to solve it. Would be good to have a fix as well for the upcoming geckodriver 0.37.1 bugfix release.

Assignee: nobody → sledru
Status: NEW → ASSIGNED
Pushed by sledru@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/d08e46fcadb0 https://hg.mozilla.org/integration/autoland/rev/f660a451c6dc Exclude quick-xml from cargo-audit until plist upgrades past the vulnerable range. r=emilio

Bug 2052142 will be used for the actual version bump.

No longer blocks: 2051391
Status: ASSIGNED → RESOLVED
Closed: 12 days ago
Resolution: --- → FIXED
Target Milestone: --- → 154 Branch

can this eventually get backported to beta ? apparently it's blocking other backports like https://phabricator.services.mozilla.com/D310041#10764659 ...

Attachment #9604229 - Flags: approval-mozilla-beta?
Attachment #9604230 - Flags: approval-mozilla-beta?

firefox-beta Uplift Approval Request

  • User impact if declined/Reason for urgency: Just ignoring/silent warning in the CI.
    doesn't go into our product
  • Code covered by automated testing?: yes
  • Fix verified in Nightly?: yes
  • Needs manual QE testing?: no
  • Steps to reproduce for manual QE testing:
  • Risk associated with taking this patch: low
  • Explanation of risk level: just ignore a warning
  • String changes made/needed?: no
  • Is Android affected?: no
Attachment #9604229 - Attachment is obsolete: true
Attachment #9604229 - Flags: approval-mozilla-beta?

firefox-release Uplift Approval Request

  • User impact if declined/Reason for urgency: Just ignoring/silent warning in the CI.
    doesn't go into our product
  • Code covered by automated testing?: yes
  • Fix verified in Nightly?: yes
  • Needs manual QE testing?: no
  • Steps to reproduce for manual QE testing:
  • Risk associated with taking this patch: low
  • Explanation of risk level: just ignore a warning
  • String changes made/needed?: no
  • Is Android affected?: no
Attachment #9604231 - Flags: approval-mozilla-release?
Attachment #9604230 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9604231 - Flags: approval-mozilla-release? → approval-mozilla-release+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: