Fix stdweb audit advisotry RUSTSEC-2020-0056

bitcoindevkit / bdk-cli

A CLI wallet library and REPL tool to demo and test the BDK library

Other

111 stars 65 forks source link

Fix stdweb audit advisotry RUSTSEC-2020-0056 #85

Closed notmandatory closed 1 year ago

notmandatory commented 2 years ago

% cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 405 security advisories (from /home/steve/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (238 crate dependencies)
Crate:         stdweb
Version:       0.4.20
Warning:       unmaintained
Title:         stdweb is unmaintained
Date:          2020-05-04
ID:            RUSTSEC-2020-0056
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree: 
stdweb 0.4.20
└── time 0.2.27
    ├── cookie_store 0.12.0
    │   └── ureq 1.5.5
    └── cookie 0.14.4
        ├── ureq 1.5.5
        └── cookie_store 0.12.0

warning: 1 allowed warning found

rajarshimaitra commented 2 years ago

I think I found the bottom of this hole.. The stdweb lib was a complex JS to Rust link library and I have no clue why they needed it in time. And now its saying unmaintained so even a more higher vulnerability.

Recent version of time removes stdweb from its dep. And recent ureq ~2.2.0 updates the change.

The problem is occurring from ureq 1.5.5 which uses a lower version of time which still has stdweb , and it's only requirement of bitcoind.

https://github.com/bitcoindevkit/bdk-cli/blob/8d14cf5549805b685d95c72247b358e67b6a330f/Cargo.lock#L266-L280

And Ricardo pinned this version for the MSRV constraint.

https://github.com/RCasatta/bitcoind/blob/31e88fdb011e37ebec08c710ad994d62d46b42b7/Cargo.toml#L22

So the easiest way to fix is remove the pin in bitcoind and let it use the latest ureq.

cc @RCasatta

UPDATE: The same situation is there for BDK too..

RCasatta commented 2 years ago

The plan I have in mind is:

rust-bitcoincore-rpc 0.15 with bitcoin 0.28 is released https://github.com/rust-bitcoin/rust-bitcoincore-rpc/pull/221
merge https://github.com/RCasatta/bitcoind/pull/62 and https://github.com/RCasatta/bitcoind/pull/60, release bitcoind 0.26.0
remove pinning and increase MSRV to x.x.x (TBD) release bitcoind 0.27.0

notmandatory commented 2 years ago

On the MSRV question BDK is bumping up to 1.56.0.

https://github.com/bitcoindevkit/bdk/pull/596.

Also the focus for the next bdk release 0.19.0 is TP support so also updating bitcoin to 0.28 along with other dependencies doing the same like rust-bitcoincore-rpc. Once BDK 0.19.0 is released the high priority for bdk-cli should be to do the corresponding updates.

notmandatory commented 2 years ago

I think this will be fixed by #99 so I assigned it to you @rajarshimaitra to confirm. Thanks!

rajarshimaitra commented 2 years ago

It seems its still there with #99

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 417 security advisories (from /home/raj/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (268 crate dependencies)
Crate:         stdweb
Version:       0.4.20
Warning:       unmaintained
Title:         stdweb is unmaintained
Date:          2020-05-04
ID:            RUSTSEC-2020-0056
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree: 
stdweb 0.4.20
└── time 0.2.27
    ├── cookie_store 0.12.0
    │   └── ureq 1.5.5
    └── cookie 0.14.4
        ├── ureq 1.5.5
        └── cookie_store 0.12.0

warning: 1 allowed warning found

notmandatory commented 2 years ago

Moved this one to bdk-cli 0.7.0 since the updated version of bitcoind 0.27.0 isn't released yet.