search

ruabmbua / enet-sys

Raw rust bindings to the enet C library
MIT License
19 stars 14 forks source link

`cargo audit` failing due to old bindgen #14

Closed futile closed 2 years ago

futile commented 2 years ago

cargo audit finds two security vulnerabilities:

Scanning Cargo.lock for vulnerabilities (45 crate dependencies)

Crate:         regex
Version:       0.2.11
Title:         Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date:          2022-03-08
ID:            RUSTSEC-2022-0013
URL:           https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution:      Upgrade to >=1.5.5
Dependency tree: 
regex 0.2.11

Crate:         thread_local
Version:       0.3.6
Title:         Data race in `Iter` and `IterMut`
Date:          2022-01-23
ID:            RUSTSEC-2022-0006
URL:           https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution:      Upgrade to >=1.1.4
Dependency tree: 
thread_local 0.3.6
└── regex 0.2.11

error: 2 vulnerabilities found!

See https://github.com/futile/enet-rs/issues/15 and https://github.com/futile/enet-rs/issues/16 for further info on these issues.

Checking how enet-sys depends on these using cargo tree shows the following:

enet-sys v0.2.3 (/some/local/path/enet-sys)
[build-dependencies]
├── bindgen v0.35.0
│   ├── cexpr v0.2.3
│   │   └── nom v3.2.1
│   │       └── memchr v1.0.2
│   │           └── libc v0.2.121
│   ├── cfg-if v0.1.10
│   ├── clang-sys v0.22.0
│   │   ├── glob v0.2.11
│   │   ├── libc v0.2.121
│   │   └── libloading v0.5.2
│   │       [build-dependencies]
│   │       └── cc v1.0.73
│   │   [build-dependencies]
│   │   └── glob v0.2.11
│   ├── clap v2.34.0
│   │   ├── ansi_term v0.12.1
│   │   ├── atty v0.2.14
│   │   │   └── libc v0.2.121
│   │   ├── bitflags v1.3.2
│   │   ├── strsim v0.8.0
│   │   ├── textwrap v0.11.0
│   │   │   └── unicode-width v0.1.9
│   │   ├── unicode-width v0.1.9
│   │   └── vec_map v0.8.2
│   ├── env_logger v0.5.13
│   │   ├── atty v0.2.14 (*)
│   │   ├── humantime v1.3.0
│   │   │   └── quick-error v1.2.3
│   │   ├── log v0.4.16
│   │   │   └── cfg-if v1.0.0
│   │   ├── regex v1.5.5
│   │   │   ├── aho-corasick v0.7.18
│   │   │   │   └── memchr v2.4.1
│   │   │   ├── memchr v2.4.1
│   │   │   └── regex-syntax v0.6.25
│   │   └── termcolor v1.1.3
│   ├── lazy_static v1.4.0
│   ├── log v0.4.16 (*)
│   ├── peeking_take_while v0.1.2
│   ├── quote v0.3.15
│   ├── regex v0.2.11
│   │   ├── aho-corasick v0.6.10
│   │   │   └── memchr v2.4.1
│   │   ├── memchr v2.4.1
│   │   ├── regex-syntax v0.5.6
│   │   │   └── ucd-util v0.1.8
│   │   ├── thread_local v0.3.6
│   │   │   └── lazy_static v1.4.0
│   │   └── utf8-ranges v1.0.4
│   └── which v1.0.5
│       └── libc v0.2.121
└── cmake v0.1.48
    └── cc v1.0.73

So both of these are due to bindgen, which is at version 0.35.0 in Cargo.toml. Current bindgen version (at the time of writing) is 0.59.2, so quite some new versions exist.

I tried upgrading bindgen, but that leads to doc tests failing as indented comments in enet's source code are now interpreted (and run) as rust code, see https://github.com/rust-lang/rust-bindgen/issues/1313. Also, newer bindgen versions use u128 in signatures, which causes warnings from rustc because u128 is not FFI-safe (known, but very annoying).

Here is a full log of cargo build and cargo test with bindgen at 0.59.2: link to a gist, because too long for inline display (>2.5k lines).

As bindgen is only used as a build dependency, these vulnerabilities might not be too bad, but I guess it'd be nice to fix them anyway.

ruabmbua commented 2 years ago

Ok, thanks for the report.

I updated the dependency and fixed the errors & warnings.