CVE-2023-22895 - bzip2 vulnerability

[hampuslidin]

A security advisory has been raised for the bzip2 <0.4.4 versions:

https://www.cvedetails.com/cve/CVE-2023-22895/

Bumping this dependency to 0.4.4 would circumvent the security issue.

[Plecra]

Ah, cheers. I'd rather not address this within zip, as dependency versions are really meant for compatibility, not protecting users. I'd prefer the upstream version yanked, but we can bump our version if bzip2 is hesitant to do that.

[Plecra]

Ah yanking is still a bit messy. I'll have a look into what the best solution is in zip!

[Plecra]

I checked in with the Community Discord, and yeah a dependency bump in zip would be pretty atypical. Do you know which users this change would protect? As I understand it, the only thing we'd manage to do is break some builds which explicitly depend on <0.4.4, and I don't think that's our goal. Every newly built dependent on zip should be using secure versions already.

[lnicola]

Yeah, it would be pretty unusual to do this in zip.

[hampuslidin]

Hi, thanks for the response!Fair enough, since it is possible for dependant users to upgrade bzip explicitly in their Cargo lockfile, it is better to keep compatability with crates that might depend on those earlier versions.You may close this issue in that case!31 jan. 2023 kl. 07:37 skrev Laurențiu Nicola @.***>: Yeah, it would be pretty unusual to do this in zip.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

[mcandre]

Backwards compatibility over security patches?

[NobodyXu]

Backwards compatibility over security patches?

For new projects using zip, they would automatically use the latest bzip2 release. For existing projects using zip, they can always upgrade bzip2 to latest release themselves.

[Magicloud]

Why not bump zip version and restrict the bzip2 being used.

[lnicola]

This crate doesn't pick a bzip2 version, the binaries do. There is no vulnerability introduced by this crate.

Imagine asking every crate in the world to require some minimum toolchain version just because there was a bug in the standard library a couple of years ago.