search

tomusdrw / rust-web3

Ethereum JSON-RPC multi-transport client. Rust implementation of web3 library. ENS address: rust-web3.eth
MIT License
1.44k stars 468 forks source link

Fix secp256k1 possible use after free audit vulnerability #685

Closed rodoufu closed 1 year ago

rodoufu commented 1 year ago

Fixing possible use after free

cargo audit --ignore RUSTSEC-2020-0071
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 531 security advisories (from /Users/rodolfo-araujo/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (241 crate dependencies)
Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── env_logger 0.9.3
    └── web3 0.19.0

Crate:     secp256k1
Version:   0.21.3
Warning:   unsound
Title:     Unsound API in `secp256k1` allows use-after-free and invalid deallocation from safe code
Date:      2022-11-30
ID:        RUSTSEC-2022-0070
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0070
Dependency tree:
secp256k1 0.21.3
└── web3 0.19.0

warning: 2 allowed warnings found
rodoufu commented 1 year ago

Maybe you can take a look @tomusdrw Thanks in advance

tomusdrw commented 1 year ago

Thanks!