vi / websocat

Command-line client for WebSockets, like netcat (or curl) for ws:// with advanced socat-like functions
MIT License
7.14k stars 278 forks source link

Security vulnerabilities found by cargo audit #277

Open mnhauke opened 1 day ago

mnhauke commented 1 day ago

Hello, I am one of the [openSUSE websocat package]() maintainers.

The package build routines nowadays include a check via cargo audit to only allow updates without security vulnerabilities. The current version v1.14.0 fails that check because of the following discovered vulnerabilities:

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 686 security advisories (from /home/mhauke/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (224 crate dependencies)
Crate:     hyper
Version:   0.10.16
Title:     Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date:      2021-07-07
ID:        RUSTSEC-2021-0078
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0078
Severity:  5.3 (medium)
Solution:  Upgrade to >=0.14.10
Dependency tree:
hyper 0.10.16
├── websocket 0.27.1
│   └── websocat 1.14.0
└── websocat 1.14.0

Crate:     hyper
Version:   0.10.16
Title:     Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date:      2021-07-07
ID:        RUSTSEC-2021-0079
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0079
Severity:  9.1 (critical)
Solution:  Upgrade to >=0.14.10

Crate:     openssl
Version:   0.10.64
Title:     `MemBio::get_buf` has undefined behavior with empty buffers
Date:      2024-07-21
ID:        RUSTSEC-2024-0357
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0357
Solution:  Upgrade to >=0.10.66
Dependency tree:
openssl 0.10.64
└── native-tls 0.2.11
    ├── websocket-base 0.26.5
    │   ├── websocket 0.27.1
    │   │   └── websocat 1.14.0
    │   └── websocat 1.14.0
    ├── websocket 0.27.1
    ├── websocat 1.14.0
    └── tokio-tls 0.2.1
        ├── websocket-base 0.26.5
        ├── websocket 0.27.1
        └── websocat 1.14.0

Crate:     time
Version:   0.1.45
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Severity:  6.2 (medium)
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.45
└── hyper 0.10.16
    ├── websocket 0.27.1
    │   └── websocat 1.14.0
    └── websocat 1.14.0

Crate:     tokio
Version:   0.1.22
Title:     Data race when sending and receiving after closing a `oneshot` channel
Date:      2021-11-16
ID:        RUSTSEC-2021-0124
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0124
Solution:  Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1
Dependency tree:
tokio 0.1.22
├── websocat 1.14.0
├── tokio-named-pipes 0.1.0
│   └── websocat 1.14.0
└── tk-listen 0.2.1
    └── websocat 1.14.0

Crate:     anymap
Version:   0.12.1
Warning:   unmaintained
Title:     anymap is unmaintained.
Date:      2021-05-07
ID:        RUSTSEC-2021-0065
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0065
Dependency tree:
anymap 0.12.1
└── websocat 1.14.0

Crate:     atty
Version:   0.2.14
Warning:   unmaintained
Title:     `atty` is unmaintained
Date:      2024-09-25
ID:        RUSTSEC-2024-0375
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0375
Dependency tree:
atty 0.2.14
└── websocat 1.14.0

Crate:     derivative
Version:   1.0.4
Warning:   unmaintained
Title:     `derivative` is unmaintained; consider using an alternative
Date:      2024-06-26
ID:        RUSTSEC-2024-0388
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0388
Dependency tree:
derivative 1.0.4
└── websocat 1.14.0

Crate:     net2
Version:   0.2.39
Warning:   unmaintained
Title:     `net2` crate has been deprecated; use `socket2` instead
Date:      2020-05-01
ID:        RUSTSEC-2020-0016
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree:
net2 0.2.39
├── websocat 1.14.0
├── miow 0.2.2
│   └── mio 0.6.23
│       ├── tokio-uds 0.2.7
│       │   ├── websocat 1.14.0
│       │   └── tokio 0.1.22
│       │       ├── websocat 1.14.0
│       │       ├── tokio-named-pipes 0.1.0
│       │       │   └── websocat 1.14.0
│       │       └── tk-listen 0.2.1
│       │           └── websocat 1.14.0
│       ├── tokio-udp 0.1.6
│       │   ├── websocat 1.14.0
│       │   └── tokio 0.1.22
│       ├── tokio-tcp 0.1.4
│       │   ├── websocket-base 0.26.5
│       │   │   ├── websocket 0.27.1
│       │   │   │   └── websocat 1.14.0
│       │   │   └── websocat 1.14.0
│       │   ├── websocket 0.27.1
│       │   ├── websocat 1.14.0
│       │   └── tokio 0.1.22
│       ├── tokio-signal 0.2.9
│       │   ├── websocat 1.14.0
│       │   └── tokio-process 0.2.5
│       │       └── websocat 1.14.0
│       ├── tokio-reactor 0.1.12
│       │   ├── websocket 0.27.1
│       │   ├── websocat 1.14.0
│       │   ├── tokio-uds 0.2.7
│       │   ├── tokio-udp 0.1.6
│       │   ├── tokio-tcp 0.1.4
│       │   ├── tokio-signal 0.2.9
│       │   ├── tokio-process 0.2.5
│       │   ├── tokio-file-unix 0.5.1
│       │   │   └── websocat 1.14.0
│       │   └── tokio 0.1.22
│       ├── tokio-process 0.2.5
│       ├── tokio-named-pipes 0.1.0
│       ├── tokio-file-unix 0.5.1
│       ├── tokio 0.1.22
│       ├── mio-uds 0.6.8
│       │   ├── tokio-uds 0.2.7
│       │   └── tokio-signal 0.2.9
│       └── mio-named-pipes 0.1.7
│           ├── tokio-process 0.2.5
│           └── tokio-named-pipes 0.1.0
└── mio 0.6.23

Crate:     safemem
Version:   0.3.3
Warning:   unmaintained
Title:     safemem is unmaintained
Date:      2023-02-14
ID:        RUSTSEC-2023-0081
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0081
Dependency tree:
safemem 0.3.3
└── base64 0.9.3
    └── hyper 0.10.16
        ├── websocket 0.27.1
        │   └── websocat 1.14.0
        └── websocat 1.14.0

Crate:     traitobject
Version:   0.1.0
Warning:   unmaintained
Title:     traitobject is Unmaintained
Date:      2021-10-04
ID:        RUSTSEC-2021-0144
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0144
Dependency tree:
traitobject 0.1.0
└── hyper 0.10.16
    ├── websocket 0.27.1
    │   └── websocat 1.14.0
    └── websocat 1.14.0

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145

Crate:     crossbeam-queue
Version:   0.1.2
Warning:   unsound
Title:     `SegQueue` creates zero value of any type
Date:      2022-05-10
ID:        RUSTSEC-2022-0021
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0021
Dependency tree:
crossbeam-queue 0.1.2
└── tokio-process 0.2.5
    └── websocat 1.14.0

Crate:     crossbeam-utils
Version:   0.6.6
Warning:   unsound
Title:     Unsoundness of AtomicCell<*64> arithmetics on 32-bit targets that support Atomic*64
Date:      2022-02-05
ID:        RUSTSEC-2022-0041
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0041
Dependency tree:
crossbeam-utils 0.6.6
└── crossbeam-queue 0.1.2
    └── tokio-process 0.2.5
        └── websocat 1.14.0

Crate:     crossbeam-utils
Version:   0.7.2
Warning:   unsound
Title:     Unsoundness of AtomicCell<*64> arithmetics on 32-bit targets that support Atomic*64
Date:      2022-02-05
ID:        RUSTSEC-2022-0041
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0041
Dependency tree:
crossbeam-utils 0.7.2
├── tokio-timer 0.2.13
│   ├── websocat 1.14.0
│   └── tokio 0.1.22
│       ├── websocat 1.14.0
│       ├── tokio-named-pipes 0.1.0
│       │   └── websocat 1.14.0
│       └── tk-listen 0.2.1
│           └── websocat 1.14.0
├── tokio-threadpool 0.1.18
│   ├── tokio-fs 0.1.7
│   │   └── tokio 0.1.22
│   └── tokio 0.1.22
├── tokio-reactor 0.1.12
│   ├── websocket 0.27.1
│   │   └── websocat 1.14.0
│   ├── websocat 1.14.0
│   ├── tokio-uds 0.2.7
│   │   ├── websocat 1.14.0
│   │   └── tokio 0.1.22
│   ├── tokio-udp 0.1.6
│   │   ├── websocat 1.14.0
│   │   └── tokio 0.1.22
│   ├── tokio-tcp 0.1.4
│   │   ├── websocket-base 0.26.5
│   │   │   ├── websocket 0.27.1
│   │   │   └── websocat 1.14.0
│   │   ├── websocket 0.27.1
│   │   ├── websocat 1.14.0
│   │   └── tokio 0.1.22
│   ├── tokio-signal 0.2.9
│   │   ├── websocat 1.14.0
│   │   └── tokio-process 0.2.5
│   │       └── websocat 1.14.0
│   ├── tokio-process 0.2.5
│   ├── tokio-file-unix 0.5.1
│   │   └── websocat 1.14.0
│   └── tokio 0.1.22
├── tokio-executor 0.1.10
│   ├── tokio-timer 0.2.13
│   ├── tokio-threadpool 0.1.18
│   ├── tokio-signal 0.2.9
│   ├── tokio-reactor 0.1.12
│   ├── tokio-current-thread 0.1.7
│   │   ├── websocat 1.14.0
│   │   └── tokio 0.1.22
│   └── tokio 0.1.22
├── crossbeam-queue 0.2.3
│   └── tokio-threadpool 0.1.18
├── crossbeam-epoch 0.8.2
│   └── crossbeam-deque 0.7.4
│       └── tokio-threadpool 0.1.18
└── crossbeam-deque 0.7.4

Crate:     hyper
Version:   0.10.16
Warning:   unsound
Title:     Parser creates invalid uninitialized value
Date:      2022-05-10
ID:        RUSTSEC-2022-0022
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0022

Crate:     lock_api
Version:   0.3.4
Warning:   unsound
Title:     Some lock_api lock guard objects can cause data races
Date:      2020-11-08
ID:        RUSTSEC-2020-0070
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0070
Dependency tree:
lock_api 0.3.4
└── parking_lot 0.9.0
    └── tokio-reactor 0.1.12
        ├── websocket 0.27.1
        │   └── websocat 1.14.0
        ├── websocat 1.14.0
        ├── tokio-uds 0.2.7
        │   ├── websocat 1.14.0
        │   └── tokio 0.1.22
        │       ├── websocat 1.14.0
        │       ├── tokio-named-pipes 0.1.0
        │       │   └── websocat 1.14.0
        │       └── tk-listen 0.2.1
        │           └── websocat 1.14.0
        ├── tokio-udp 0.1.6
        │   ├── websocat 1.14.0
        │   └── tokio 0.1.22
        ├── tokio-tcp 0.1.4
        │   ├── websocket-base 0.26.5
        │   │   ├── websocket 0.27.1
        │   │   └── websocat 1.14.0
        │   ├── websocket 0.27.1
        │   ├── websocat 1.14.0
        │   └── tokio 0.1.22
        ├── tokio-signal 0.2.9
        │   ├── websocat 1.14.0
        │   └── tokio-process 0.2.5
        │       └── websocat 1.14.0
        ├── tokio-process 0.2.5
        ├── tokio-file-unix 0.5.1
        │   └── websocat 1.14.0
        └── tokio 0.1.22

Crate:     memoffset
Version:   0.5.6
Warning:   unsound
Title:     memoffset allows reading uninitialized memory
Date:      2023-06-21
ID:        RUSTSEC-2023-0045
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0045
Dependency tree:
memoffset 0.5.6
└── crossbeam-epoch 0.8.2
    └── crossbeam-deque 0.7.4
        └── tokio-threadpool 0.1.18
            ├── tokio-fs 0.1.7
            │   └── tokio 0.1.22
            │       ├── websocat 1.14.0
            │       ├── tokio-named-pipes 0.1.0
            │       │   └── websocat 1.14.0
            │       └── tk-listen 0.2.1
            │           └── websocat 1.14.0
            └── tokio 0.1.22

Crate:     traitobject
Version:   0.1.0
Warning:   unsound
Title:     traitobject assumes the layout of fat pointers
Date:      2020-06-01
ID:        RUSTSEC-2020-0027
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0027
Severity:  9.8 (critical)

error: 5 vulnerabilities found!
warning: 14 allowed warnings found
vi commented 1 day ago

Such things is one of the reasons (or maybe a primary reason) why I rewritten it using modern dependencies.

It is impractical to close all those things - maybe porting the features to 4.0.0 branch would be simpler.

I hope that most of the things should not be (easily) reachable from Websocat. For example:

Lenient hyper header parsing of Content-Length could allow request smuggling

Websockets do not use Content-Length field.

Integer overflow in hyper's parsing of the Transfer-Encoding header leads to data loss

WebSockets do not use Transfer-Encoding.

Potential segfault in the time crate

As far as I remember, it's about environment variables and setting timezone or something like that. Obviously Websocat does not use set_env.

In general RUSTSECs rarely directly translate to exploitable vulnerabilities.

The most important security-related dependency - OpenSSL - should be up to date even with v1 branch.


Maybe try to package v4.0.0-alpha1 instead?

The only cargo audit warning there is that "instant is unmaintained" (RUSTSEC-2024-0384) (coming from a transitive dependency).

Note that a lot of Websocat1 features are missing at the moment (porting is tracked at #276). If Websocat is unpackaged at the moment it may be less of a problem, but automatic update from v1.13 to 4.0.0-alpha1 may be not a good idea.


The current version v1.14.0 fails that check

Is it the first time OpenSUSE packages Websocat (i.e. v1.14.0 is a starting version) or it is an update?

v1.14.0 is not significantly different from v1.13.0, v1.12.0 and so in this regard - master branch stuck with legacy deps for a long time.

Maybe cargo audit requirement is a new one?

The only correctness change of v1.14 compared to v1.13 is prioritisation of pong replies over normal traffic. The rest are somewhat minor features, so sticking with 1.13 for some time should not be a large problem.