search

galacticcouncil / hydration-node

Hydration node - Cross-chain liquidity protocol built with Polkadot-SDK
https://hydration.net
Apache License 2.0
173 stars 74 forks source link

Bug: [Audit_RV] Two known vulnerabilities detected #431

Closed yanliu18 closed 9 months ago

yanliu18 commented 2 years ago

2 vulnerabilities and 1 deprecated crate are detected while performing dependency linting. The vulnerabilities will lead to memory leakage and segfault, considered to be sever ones. Strongly recommend to upgrade to patched versions.

warehouse repo has the same vulnerabilities.

However, these vulnerabilities seem belong to substrate. Need to report to Substate if the latest Substate release has the same problem.

Description

{
    "database": {
        "advisory-count": 421,
        "last-commit": "2718c2db84a5d7607aa510fe33565e00c7959859",
        "last-updated": "2022-07-05T12:48:56Z"
    },
    "lockfile": {
        "dependency-count": 919
    },
    "settings": {
        "target_arch": null,
        "target_os": null,
        "severity": null,
        "ignore": [],
        "informational_warnings": [
            "unmaintained"
        ]
    },
    "vulnerabilities": {
        "found": true,
        "count": 2,
        "list": [
            {
                "advisory": {
                    "id": "RUSTSEC-2021-0130",
                    "package": "lru",
                    "title": "Use after free in lru crate",
                    "description": "Lru crate has use after free vulnerability.\n\nLru crate has two functions for getting an iterator. Both iterators give\nreferences to key and value. Calling specific functions, like pop(), will remove\nand free the value, and but it's still possible to access the reference of value\nwhich is already dropped causing use after free.",
                    "date": "2021-12-21",
                    "aliases": [],
                    "related": [],
                    "collection": "crates",
                    "categories": [
                        "memory-corruption"
                    ],
                    "keywords": [
                        "use-after-free"
                    ],
                    "cvss": null,
                    "informational": null,
                    "references": [],
                    "source": null,
                    "url": "https://github.com/jeromefroe/lru-rs/issues/120",
                    "withdrawn": null
                },
                "versions": {
                    "patched": [
                        ">=0.7.1"
                    ],
                    "unaffected": []
                },
                "affected": {
                    "arch": [],
                    "os": [],
                    "functions": {
                        "lru::LruCache::iter": [
                            "<0.7.1"
                        ],
                        "lru::LruCache::iter_mut": [
                            "<0.7.1"
                        ]
                    }
                },
                "package": {
                    "name": "lru",
                    "version": "0.6.6",
                    "source": "registry+https://github.com/rust-lang/crates.io-index",
                    "checksum": "7ea2d928b485416e8908cff2d97d621db22b27f7b3b6729e438bcf42c671ba91",
                    "dependencies": [
                        {
                            "name": "hashbrown",
                            "version": "0.11.2",
                            "source": "registry+https://github.com/rust-lang/crates.io-index"
                        }
                    ],
                    "replace": null
                }
            },
            {
                "advisory": {
                    "id": "RUSTSEC-2020-0071",
                    "package": "time",
                    "title": "Potential segfault in the time crate",
                    "description": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nNo workarounds are known.\n\n### References\n\ntime-rs/time#293",
                    "date": "2020-11-18",
                    "aliases": [
                        "CVE-2020-26235"
                    ],
                    "related": [],
                    "collection": "crates",
                    "categories": [
                        "code-execution",
                        "memory-corruption"
                    ],
                    "keywords": [
                        "segfault"
                    ],
                    "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                    "informational": null,
                    "references": [],
                    "source": null,
                    "url": "https://github.com/time-rs/time/issues/293",
                    "withdrawn": null
                },
                "versions": {
                    "patched": [
                        ">=0.2.23"
                    ],
                    "unaffected": [
                        "=0.2.0",
                        "=0.2.1",
                        "=0.2.2",
                        "=0.2.3",
                        "=0.2.4",
                        "=0.2.5",
                        "=0.2.6"
                    ]
                },
                "affected": {
                    "arch": [],
                    "os": [
                        "linux",
                        "redox",
                        "solaris",
                        "android",
                        "ios",
                        "macos",
                        "netbsd",
                        "openbsd",
                        "freebsd"
                    ],
                    "functions": {
                        "time::OffsetDateTime::now_local": [
                            "<0.2.23"
                        ],
                        "time::OffsetDateTime::try_now_local": [
                            "<0.2.23"
                        ],
                        "time::UtcOffset::current_local_offset": [
                            "<0.2.23"
                        ],
                        "time::UtcOffset::local_offset_at": [
                            "<0.2.23"
                        ],
                        "time::UtcOffset::try_current_local_offset": [
                            "<0.2.23"
                        ],
                        "time::UtcOffset::try_local_offset_at": [
                            "<0.2.23"
                        ],
                        "time::at": [
                            "^0.1"
                        ],
                        "time::at_utc": [
                            "^0.1"
                        ],
                        "time::now": [
                            "^0.1"
                        ]
                    }
                },
                "package": {
                    "name": "time",
                    "version": "0.1.44",
                    "source": "registry+https://github.com/rust-lang/crates.io-index",
                    "checksum": "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255",
                    "dependencies": [
                        {
                            "name": "libc",
                            "version": "0.2.120",
                            "source": "registry+https://github.com/rust-lang/crates.io-index"
                        },
                        {
                            "name": "wasi",
                            "version": "0.10.0+wasi-snapshot-preview1",
                            "source": "registry+https://github.com/rust-lang/crates.io-index"
                        },
                        {
                            "name": "winapi",
                            "version": "0.3.9",
                            "source": "registry+https://github.com/rust-lang/crates.io-index"
                        }
                    ],
                    "replace": null
                }
            }
        ]
    },
    "warnings": {
        "unmaintained": [
            {
                "kind": "unmaintained",
                "package": {
                    "name": "net2",
                    "version": "0.2.37",
                    "source": "registry+https://github.com/rust-lang/crates.io-index",
                    "checksum": "391630d12b68002ae1e25e8f974306474966550ad82dac6886fb8910c19568ae",
                    "dependencies": [
                        {
                            "name": "cfg-if",
                            "version": "0.1.10",
                            "source": "registry+https://github.com/rust-lang/crates.io-index"
                        },
                        {
                            "name": "libc",
                            "version": "0.2.120",
                            "source": "registry+https://github.com/rust-lang/crates.io-index"
                        },
                        {
                            "name": "winapi",
                            "version": "0.3.9",
                            "source": "registry+https://github.com/rust-lang/crates.io-index"
                        }
                    ],
                    "replace": null
                },
                "advisory": {
                    "id": "RUSTSEC-2020-0016",
                    "package": "net2",
                    "title": "`net2` crate has been deprecated; use `socket2` instead",
                    "description": "The [`net2`](https://crates.io/crates/net2) crate has been deprecated\nand users are encouraged to considered [`socket2`](https://crates.io/crates/socket2) instead.",
                    "date": "2020-05-01",
                    "aliases": [],
                    "related": [],
                    "collection": "crates",
                    "categories": [],
                    "keywords": [],
                    "cvss": null,
                    "informational": "unmaintained",
                    "references": [],
                    "source": null,
                    "url": "https://github.com/deprecrated/net2-rs/commit/3350e3819adf151709047e93f25583a5df681091",
                    "withdrawn": null
                },
                "versions": {
                    "patched": [],
                    "unaffected": []
                }
            }
        ]
    }
}

Possible Fix

upgrade the dependent package to patched versions.

Steps to Reproduce

  1. Install cargo-audit subcommand.
  2. Navigate to root folder (same directory with cargo.toml)
  3. Run cargo audit.

Context

Adversary databased used: RustSEC.

enthusiastmartin commented 2 years ago

LRU issue has been resolved in substrate 28.

the second - time - is still present.

enthusiastmartin commented 9 months ago

no longer an issue.