search

code-423n4 / 2024-03-phala-network-findings

0 stars 0 forks source link

vulnerabilities RUSTSEC-2024-0003, RUSTSEC-2021-0054 and RUSTSEC-2024-0006 #6

Closed c4-bot-1 closed 6 months ago

c4-bot-1 commented 7 months ago

Lines of code

https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/Cargo.lock#L4218 https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/Cargo.lock#L1951 https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/Cargo.lock#L4812

Vulnerability details

Crate: h2 Version: 0.3.20 Title: Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS) Date: 2024-01-17 ID: RUSTSEC-2024-0003 URL: https://rustsec.org/advisories/RUSTSEC-2024-0003 Solution: Upgrade to ^0.3.24 OR >=0.4.2 Dependency tree: h2 0.3.20 ├── reqwest 0.11.20 │ ├── sgx-attestation 0.1.0 │ │ ├── phala-types 0.3.0 │ │ │ └── pink-runtime 1.2.0 │ │ │ └── pink-loader 0.1.0 │ │ └── check_system 0.1.0 │ │ └── pink-runtime 1.2.0 │ ├── reqwest-env-proxy 0.1.0 │ │ ├── sgx-attestation 0.1.0 │ │ └── pink-chain-extension 0.1.1 │ │ ├── pink-runtime 1.2.0 │ │ ├── pink-loader 0.1.0 │ │ └── pink 0.4.1 │ │ ├── pink-runtime 1.2.0 │ │ ├── pink-chain-extension 0.1.1 │ │ ├── pink-capi 0.1.0 │ │ │ ├── pink-runtime 1.2.0 │ │ │ └── pink-loader 0.1.0 │ │ ├── phat_js 0.3.0 │ │ │ └── check_system 0.1.0 │ │ └── check_system 0.1.0 │ └── pink-chain-extension 0.1.1 └── hyper 0.14.27 ├── reqwest 0.11.20 └── hyper-rustls 0.24.1 └── reqwest 0.11.20

Crate: rkyv Version: 0.4.3 Title: Archives may contain uninitialized memory Date: 2021-04-28 ID: RUSTSEC-2021-0054 URL: https://rustsec.org/advisories/RUSTSEC-2021-0054 Severity: 7.5 (high) Solution: Upgrade to >=0.6.0 Dependency tree: rkyv 0.4.3 ├── xous-ipc 0.9.51 │ ├── xous-api-names 0.9.49 │ │ └── ring 0.16.20 │ │ ├── sgx-attestation 0.1.0 │ │ │ ├── phala-types 0.3.0 │ │ │ │ └── pink-runtime 1.2.0 │ │ │ │ └── pink-loader 0.1.0 │ │ │ └── check_system 0.1.0 │ │ │ └── pink-runtime 1.2.0 │ │ ├── sct 0.7.0 │ │ │ └── rustls 0.21.7 │ │ │ ├── tokio-rustls 0.24.1 │ │ │ │ ├── reqwest 0.11.20 │ │ │ │ │ ├── sgx-attestation 0.1.0 │ │ │ │ │ ├── reqwest-env-proxy 0.1.0 │ │ │ │ │ │ ├── sgx-attestation 0.1.0 │ │ │ │ │ │ └── pink-chain-extension 0.1.1 │ │ │ │ │ │ ├── pink-runtime 1.2.0 │ │ │ │ │ │ ├── pink-loader 0.1.0 │ │ │ │ │ │ └── pink 0.4.1 │ │ │ │ │ │ ├── pink-runtime 1.2.0 │ │ │ │ │ │ ├── pink-chain-extension 0.1.1 │ │ │ │ │ │ ├── pink-capi 0.1.0 │ │ │ │ │ │ │ ├── pink-runtime 1.2.0 │ │ │ │ │ │ │ └── pink-loader 0.1.0 │ │ │ │ │ │ ├── phat_js 0.3.0 │ │ │ │ │ │ │ └── check_system 0.1.0 │ │ │ │ │ │ └── check_system 0.1.0 │ │ │ │ │ └── pink-chain-extension 0.1.1 │ │ │ │ └── hyper-rustls 0.24.1 │ │ │ │ └── reqwest 0.11.20 │ │ │ ├── reqwest 0.11.20 │ │ │ └── hyper-rustls 0.24.1 │ │ ├── rustls-webpki 0.102.0-alpha.3 │ │ │ └── sgx-attestation 0.1.0 │ │ ├── rustls-webpki 0.101.5 │ │ │ └── rustls 0.21.7 │ │ ├── rustls 0.21.7 │ │ └── phala-crypto 0.1.0 │ │ ├── pink-runtime 1.2.0 │ │ └── pink-loader 0.1.0 │ ├── xous-api-log 0.1.47 │ │ └── xous-api-names 0.9.49 │ └── ring 0.16.20 ├── xous-api-names 0.9.49 └── ring 0.16.20

Crate: shlex Version: 1.1.0 Title: Multiple issues involving quote API Date: 2024-01-21 ID: RUSTSEC-2024-0006 URL: https://rustsec.org/advisories/RUSTSEC-2024-0006 Solution: Upgrade to >=1.3.0 Dependency tree: shlex 1.1.0 └── bindgen 0.64.0 └── pink-capi 0.1.0 ├── pink-runtime 1.2.0 │ └── pink-loader 0.1.0 └── pink-loader 0.1.0

Assessed type

Upgradable

c4-pre-sort commented 6 months ago

141345 marked the issue as insufficient quality report

141345 commented 6 months ago

Out of scope

c4-judge commented 6 months ago

OpenCoreCH marked the issue as unsatisfactory: Insufficient proof