RUSTSEC-2022-0040: Multiple soundness issues in `owning_ref`

[github-actions[bot]]

Multiple soundness issues in owning_ref

Details
Package	owning_ref
Version	0.4.1
URL	https://github.com/noamtashma/owning-ref-unsoundness
Date	2022-01-26

• OwningRef::map_with_owner is unsound and may result in a use-after-free.
• OwningRef::map is unsound and may result in a use-after-free.
• OwningRefMut::as_owner and OwningRefMut::as_owner_mut are unsound and may result in a use-after-free.
• The crate violates Rust's aliasing rules, which may cause miscompilations on recent compilers that emit the LLVM noalias attribute.

No patched versions are available at this time. While a pull request with some fixes is outstanding, the maintainer appears to be unresponsive.

See advisory page for additional details.

[tmpolaczyk]

owning_ref is a dependency of async-jsonrpc-client, which is a legacy package that we use in some projects. The async-jsonrpc-client package has many outdated dependencies like futures 0.1, which forces us to add compatibility workarounds such as the Compat01As03 type. The best solution would be to find or create a modern jsonrpc client.

$ cargo tree --no-dedupe --workspace -i owning_ref
owning_ref v0.4.1
└── lock_api v0.1.5
    └── parking_lot v0.7.1
        └── async-jsonrpc-client v0.1.0 (https://github.com/witnet/async-jsonrpc-client?branch=fix-tcp-leak#600a2d69)
            ├── witnet-centralized-ethereum-bridge v0.1.0 (/witnet-rust/bridges/centralized-ethereum)
            ├── witnet-ethereum-bridge v0.1.0 (/witnet-rust/bridges/ethereum)
            ├── witnet_net v0.1.0 (/witnet-rust/net)
            │   ├── witnet-centralized-ethereum-bridge v0.1.0 (/witnet-rust/bridges/centralized-ethereum)
            │   └── witnet_wallet v0.3.2 (/witnet-rust/wallet)
            │       └── witnet v1.5.2 (/witnet-rust)
            └── witnet_wallet v0.3.2 (/witnet-rust/wallet)
                └── witnet v1.5.2 (/witnet-rust)