search

image-rs / jpeg-decoder

JPEG decoder written in Rust
Apache License 2.0
150 stars 87 forks source link

CVE-2021-32810: bump `rayon` dependency from `1.5.1` to `1.5.3` to avoid vulnerability #253

Closed josecelano closed 1 year ago

josecelano commented 1 year ago 
  Cargo.lock (cargo)
  ==================
  Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

  ┌─────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
  │     Library     │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
  ├─────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
  │ crossbeam-deque │ CVE-2021-32810 │ CRITICAL │ 0.8.0             │ 0.7.4, 0.8.1  │ rust-crossbeam-deque: race condition may lead to double free │
  │                 │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-32810                   │
  └─────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
├── jpeg-decoder v0.2.6
│   └── rayon v1.5.1
│       ├── crossbeam-deque v0.8.0 <---------------------------------- HERE
│       │   ├── cfg-if v1.0.0
│       │   ├── crossbeam-epoch v0.9.5
│       │   │   ├── cfg-if v1.0.0
│       │   │   ├── crossbeam-utils v0.8.5
│       │   │   │   ├── cfg-if v1.0.0
│       │   │   │   └── lazy_static v1.4.0
│       │   │   ├── lazy_static v1.4.0
│       │   │   ├── memoffset v0.6.4
│       │   │   │   [build-dependencies]
│       │   │   │   └── autocfg v1.0.1
│       │   │   └── scopeguard v1.1.0
│       │   └── crossbeam-utils v0.8.5 (*)
│       ├── either v1.6.1
│       └── rayon-core v1.9.1
│           ├── crossbeam-channel v0.5.1
│           │   ├── cfg-if v1.0.0
│           │   └── crossbeam-utils v0.8.5 (*)
│           ├── crossbeam-deque v0.8.0 (*) <---------------------------------- HERE
│           ├── crossbeam-utils v0.8.5 (*)
│           ├── lazy_static v1.4.0
│           └── num_cpus v1.13.0 (*)
│       [build-dependencies]
│       └── autocfg v1.0.1
HeroicKatora commented 1 year ago

We don't specify any upper bounds on version numbers, nor do we have a lock file. You'll get the newest version by cargo update on your repository. I don't see why we would need to do anything. We could bump the minimum required version to enforce this but that can't be the proper reaction in the long run, it would cause stampede of version bumps if that were 'expected' to happen. Github's CVE warning is being somewhat annoying for Rust dependencies, it doesn't understand Cargo.lock and its version resolution in terms of solution actions – in particular doesn't consider the full version specifier.

josecelano commented 1 year ago

We don't specify any upper bounds on version numbers, nor do we have a lock file. You'll get the newest version by cargo update on your repository. I don't see why we would need to do anything. We could bump the minimum required version to enforce this but that can't be the proper reaction in the long run, it would cause stampede of version bumps if that were 'expected' to happen. Github's CVE warning is being somewhat annoying for Rust dependencies, it doesn't understand Cargo.lock and its version resolution in terms of solution actions – in particular doesn't consider the full version specifier.

It seems I did not understand the Cargo version resolution either. I thought you were specifying a concrete version in the cargo.toml since you do not use the "^" symbol and that led to always using that concrete version.

After reading the docs I've just learned that 1.5.1 equals ^1.5.1.

Thanks and sorry.