Skip to content

fix: deps

fix: deps #296

GitHub Actions / Security audit failed Oct 10, 2023 in 0s

Security advisories found

3 advisory(ies), 4 unmaintained, 1 other

Details

Vulnerabilities

RUSTSEC-2022-0093

Double Public Key Signing Function Oracle Attack on ed25519-dalek

Details
Package ed25519-dalek
Version 1.0.1
URL https://github.com/MystenLabs/ed25519-unsafe-libs
Date 2022-06-11
Patched versions >=2

Versions of ed25519-dalek prior to v2.0 model private and public keys as
separate types which can be assembled into a Keypair, and also provide APIs
for serializing and deserializing 64-byte private/public keypairs.

Such APIs and serializations are inherently unsafe as the public key is one of
the inputs used in the deterministic computation of the S part of the signature,
but not in the R value. An adversary could somehow use the signing function as
an oracle that allows arbitrary public keys as input can obtain two signatures
for the same message sharing the same R and only differ on the S part.

Unfortunately, when this happens, one can easily extract the private key.

Revised public APIs in v2.0 of ed25519-dalek do NOT allow a decoupled
private/public keypair as signing input, except as part of specially labeled
"hazmat" APIs which are clearly labeled as being dangerous if misused.

RUSTSEC-2022-0083

evm incorrect state transition

Details
Package evm
Version 0.35.0
URL rust-ethereum/evm#133
Date 2022-10-25
Patched versions >=0.36.0

SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine.

A custom stateful precompile can use the is_static parameter to determine if
the call is executed in a static context (via STATICCALL), and thus decide
if stateful operations should be done.

Prior to version 0.36.0, the passed is_static parameter was incorrect -- it
was only set to true if the call came from a direct STATICCALL opcode.

However, once a static call context is entered, it should stay static. The issue
only impacts custom precompiles that actually uses is_static.

For those affected, the issue can lead to possible incorrect state transitions.

RUSTSEC-2022-0090

libsqlite3-sys via C SQLite CVE-2022-35737

Details
Package libsqlite3-sys
Version 0.9.4
URL https://nvd.nist.gov/vuln/detail/CVE-2022-35737
Date 2022-08-03
Patched versions >=0.25.1

It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an array-bounds overflow when large string were input into SQLite's printf function.

As libsqlite3-sys bundles SQLite, it is susceptible to the vulnerability. libsqlite3-sys was updated to bundle the patched version of SQLite here.

Warnings

RUSTSEC-2021-0139

ansi_term is Unmaintained

Details
Status unmaintained
Package ansi_term
Version 0.11.0
URL ogham/rust-ansi-term#72
Date 2021-08-18

The maintainer has advised that this crate is deprecated and will not receive any maintenance.

The crate does not seem to have much dependencies and may or may not be ok to use as-is.

Last release seems to have been three years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

Dependency Specific Migration(s)

RUSTSEC-2021-0139

ansi_term is Unmaintained

Details
Status unmaintained
Package ansi_term
Version 0.12.1
URL ogham/rust-ansi-term#72
Date 2021-08-18

The maintainer has advised that this crate is deprecated and will not receive any maintenance.

The crate does not seem to have much dependencies and may or may not be ok to use as-is.

Last release seems to have been three years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

Dependency Specific Migration(s)

RUSTSEC-2020-0095

difference is unmaintained

Details
Status unmaintained
Package difference
Version 2.0.0
URL johannhof/difference.rs#45
Date 2020-12-20

The author of the difference crate is unresponsive.

Maintained alternatives:

RUSTSEC-2021-0141

dotenv is Unmaintained

Details
Status unmaintained
Package dotenv
Version 0.15.0
URL dotenv-rs/dotenv#74
Date 2021-12-24

dotenv by description is meant to be used in development or testing only.

Using this in production may or may not be advisable.

Alternatives

The below may or may not be feasible alternative(s):