Stacks nodes use the out-of-date rusqlite 0.16.0 crate that has known memory safety and race condition issues

[bradlarsen]

Description

cargo audit points out that the Stacks node uses the out-of-date rusqlite crate (version 0.16.0 from December 2018), which has multiple memory safety and race condition issues, largely in non-default features:

ID:       RUSTSEC-2020-0014
Crate:    rusqlite
Version:  0.16.0
Date:     2020-04-23
URL:      https://rustsec.org/advisories/RUSTSEC-2020-0014
Title:    Various memory safety issues
Solution:  upgrade to >= 0.23.0
Dependency tree:
rusqlite 0.16.0
└── blockstack-core 0.0.1
    └── stacks-node 0.1.0

There have also been many non-security-related bugfixes and breaking API changes made since the 0.16.0 release.

rusqlite is used extensively throughout the Stacks node software, and is used with several non-default features, and so may be directly affected by these issues:

https://github.com/trailofbits/x-audit-blockstack-core/blob/d35ef465e9fa2ce327a181117f8ca7933b9df075/Cargo.toml#L69-L71

Exploit Scenario

An attacker uses one of the memory errors in rusqlite to cause a Stacks node to crash, causing denial-of-service.

Recommendation

Short term, upgrade to the latest release of rusqlite (0.24.0 as of September 16, 2020).

Long term, incorporate cargo audit into your development process, perhaps as a continuous integration job that fails when RUSTSEC advisories are reported, to help keep abreast of possible security issues in third-party dependencies you use.

Long term, as a checklist item in your release process, review all third-party dependencies that the Stacks software uses, and update as bug- and security-related updates are released.

[bradlarsen]

Note that in addition to the rusqlite changes since 0.16.0, there have also been numerous bug fixes in the bundled version of SQLite.

rusqlite 0.16.0 bundles SQLite 3.26.0 rusqlite 0.24.0 bundles SQLite 3.33.0