search

kimono-koans / httm

Interactive, file-level Time Machine-like tool for ZFS/btrfs/nilfs2 (and even Time Machine and Restic backups!)
https://crates.io/crates/httm
Mozilla Public License 2.0
1.33k stars 28 forks source link

affected by CVE-2020-26235 via transitive dependencies #54

Closed arctic-penguin closed 1 year ago

arctic-penguin commented 1 year ago

Running cargo audit on the repo shows a security vulnerability, via skim -> timer -> chrono -> time.

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 469 security advisories (from /home/timeshifter/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (135 crate dependencies)
Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
└── chrono 0.4.22
    ├── timer 0.2.0
    │   └── skim 0.10.1
    │       └── httm 0.17.0
    └── skim 0.10.1

Crate:     ansi_term
Version:   0.12.1
Warning:   unmaintained
Title:     ansi_term is Unmaintained
Date:      2021-08-18
ID:        RUSTSEC-2021-0139
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── lscolors 0.12.0
    └── httm 0.17.0

error: 1 vulnerability found!
warning: 1 allowed warning found
kimono-koans commented 1 year ago

Ugh, it had to be skim with this issue. But there are new maintainers now, so fingers crossed we can get this fixed quickly. Thanks for the report!

kimono-koans commented 1 year ago

Vendoring and patching the deps skim and timer.rs should fix this issue. Hopefully the upstream guys will adopt a the fixes too. Version 0.17.9 has the fixes. 

httm git:(master) ✗ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 472 security advisories (from /home/rswinford/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (137 crate dependencies)
Crate:     ansi_term
Version:   0.12.1
Warning:   unmaintained
Title:     ansi_term is Unmaintained
Date:      2021-08-18
ID:        RUSTSEC-2021-0139
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── lscolors 0.13.0
    └── httm 0.17.9

warning: 1 allowed warning found

Thanks!