Closed mulkieran closed 8 months ago
sunfishcode
commented
8 months ago I checked the stratis-storage/stratisd repository and all its transitive dependencies, and it does not call the function involved in https://github.com/rustsec/advisory-db/pull/1812.
mulkieran
commented
8 months ago Thanks! Did you do this manually, or with a tool? When we release a new package, we also release an accompanying vendor tarfile. We like to avoid as much as possible having anything in the vendor tarfile that would cause the package to be flagged for a CVE by automatic tools, and, unfortunately, the automatic tools can not do better than crate/version/feature, i.e., they can't do the actual code analysis that you did. I'm always on the lookout for more precise tools to get around this problem, but whenever bumping the version upstream is the cheapest course to avoid a possible CVE, we just go for that.
sunfishcode
commented
8 months ago I did it manually. I used cargo tree --workspace --all-features in the stratisd repository to find transitive dependencies. rustix appears as a transitive dependency twice, as a dependency of is-terminal and of tempfile. I'm familiar with both of those codebases, and I also double-checked by using rg to search for the string "rustix" in them to confirm that neither mentions rustix::fs::Dir.
To avoid a possible future CVE: https://github.com/rustsec/advisory-db/pull/1812 and a current Dependabot issue.