Stream: wg-secure-code

Topic: RustSec


Tony Arcieri (Oct 18 2018 at 23:51, on Zulip):

Thought I'd make a topic about RustSec and merging it into this WG. There's also a GitHub issue https://github.com/rust-secure-code/wg/issues/4

Tony Arcieri (Nov 28 2018 at 20:54, on Zulip):

Opened an issue to talk about collecting structured info about vulnerable functions in advisories: https://github.com/RustSec/advisory-db/issues/68

Tony Arcieri (Nov 28 2018 at 20:54, on Zulip):

for use with a tool like RustPräzi https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912

Shnatsel (Dec 09 2018 at 00:39, on Zulip):

I've just searched for "sigsegv language:rust" on Github issues, found a few projects that fixed serious issues (mostly use-after-free) without filing a RustSec or CVE and directed them to do so. Hopefully we'll see a slight influx in RustSec reports. I'll also post the most prominent ones to Reddit to get RustSec more visibility.

Shnatsel (Dec 09 2018 at 00:39, on Zulip):

That tool for checking for transitive dependencies on vulnerable crate versions would come in handy right about now to get some hard data on how bad things are in absence of out-of-the-box notifications about vulnerabilities. Is the tool or at least the results public yet?

Tony Arcieri (Dec 09 2018 at 01:55, on Zulip):

yes: https://crates.rustsec.org

Alex Gaynor (Dec 09 2018 at 01:57, on Zulip):

Is sorting this by downloads on the roadmap?

Tony Arcieri (Dec 09 2018 at 02:13, on Zulip):

not sure, maybe ask @Zach Reizner

briansmith (Dec 09 2018 at 02:26, on Zulip):

IMO it's not realistic to expect people to do that paperwork so either somebody should do it for them or, more realistically, we shouldn't rely on it being done.

Shnatsel (Dec 09 2018 at 11:41, on Zulip):

Well, the only thing I can think of would be some kind of bot that scrapes github and gitlab and pre-filters bugs that could be security vulnerabilities. Keywords should do it, although we could throw some kind of fancy machine learning thing later once we have a reasonably sized dataset

Alex Gaynor (Dec 09 2018 at 16:44, on Zulip):

I think we need to figure out at what stage people are dropping out of the funnel. Are they not making time to file it? Are they trying to but it's too hard? Are they not aware it'd be valuable?

briansmith (Dec 09 2018 at 17:23, on Zulip):

@Alex Gaynor I don't think it's valuable since nobody is willing to pay people to do it.

briansmith (Dec 09 2018 at 17:23, on Zulip):

And since it's not valuable, why do it?

Tony Arcieri (Dec 09 2018 at 17:24, on Zulip):

As it were, after nearly two months of nothing there have been two filed in the past two days, possibly thanks to @Shnatsel

Tony Arcieri (Dec 09 2018 at 17:25, on Zulip):

also someone talking about a high severity one in the yaml crate which they are trying to disclose privately

Shnatsel (Dec 09 2018 at 19:23, on Zulip):

My guess is people are simply not aware that RustSec exists, and CVE feels out of reach (and for the most part actually was until iwantacve.org)

Shnatsel (Dec 09 2018 at 19:40, on Zulip):

Oh, I've seen someone reporting a bug in serde-yaml after fuzzing it. It got turned down as invalid though.
I feel people should use yaml-rust instead of yaml, as yaml-rust is 100% safe rust and more feature-complete at the same time.

Tony Arcieri (Dec 10 2018 at 18:24, on Zulip):

yeah, re: awareness, obviously upstreaming it into cargo as a first-class feature would help there

Tony Arcieri (Dec 10 2018 at 18:25, on Zulip):

we're having a call about RustSec later this week if anyone is interested

Tony Arcieri (Dec 10 2018 at 18:25, on Zulip):

Wednesday, December 12. 12:30 PM PST.

Zach Reizner (Dec 10 2018 at 18:26, on Zulip):

How does one enter this call?

Zach Reizner (Dec 10 2018 at 18:27, on Zulip):

Is sorting this by downloads on the roadmap?

Yep. I just haven't made time to do it. Anybody else can of course work on it as well.

Tony Arcieri (Dec 10 2018 at 18:27, on Zulip):

hmm, I'm looking at the invite and I'm not sure we actually picked a method, heh

Tony Arcieri (Dec 10 2018 at 18:28, on Zulip):

oh wait, now they're talking about moving it to earlier in the day :wink:

Tony Arcieri (Dec 10 2018 at 18:28, on Zulip):

ok 1s let me get the details

briansmith (Dec 10 2018 at 18:29, on Zulip):

What mailing list is the scheduling of the meeting happening on?

Tony Arcieri (Dec 10 2018 at 18:30, on Zulip):

this is the initial meeting we're having with the people that Ashley told us about months ago who were also interested in working on something like RustSec

Tony Arcieri (Dec 10 2018 at 18:31, on Zulip):

it's been very hard to get in touch with them for whatever reason

Tony Arcieri (Dec 10 2018 at 18:31, on Zulip):

Ashley intro'd us via a private email

Shnatsel (Dec 10 2018 at 19:56, on Zulip):

If you could put the meeting into an online calendar that automatically converts timezones, that'd be great

Tony Arcieri (Dec 10 2018 at 20:01, on Zulip):

I will when we coordinate a time, heh

Tony Arcieri (Dec 10 2018 at 20:56, on Zulip):

(at this point, it's more like they coordinate a time... so far we haven't rejected any times they proposed)

Shnatsel (Dec 11 2018 at 00:38, on Zulip):

In other news, OpenSSL keeps being depressing. https://github.com/sfackler/rust-openssl/pull/942 is a use-after-free in Rust bindings that did not get reported to RustSec. And now https://github.com/diesel-rs/diesel/issues/813 seems to trace back to OpenSSL bindings as well, and it's on a version that already has a fix for the former bug

Alex Gaynor (Dec 11 2018 at 00:43, on Zulip):

Just spoke with sfacker, I'm going to submit a rustsec for that.

Shnatsel (Dec 11 2018 at 00:49, on Zulip):

Looks like rust-openssl needs automatic safety verification just as badly as libstd. I'm trying to pitch the "autogenerate fuzzing harnesses based on Rust types with syn and Arbitrary" as a 20% project so I can finally get around to actually doing that, wish me luck.

Alex Gaynor (Dec 11 2018 at 00:49, on Zulip):

This seems like it'd have been caught with a test + ASAN?

Shnatsel (Dec 11 2018 at 00:50, on Zulip):

Not sure about a test + ASAN, pretty sure about fuzzer + ASAN

Alex Gaynor (Dec 11 2018 at 00:51, on Zulip):

This UAF does not appear to be data-dependent, am I reading this wrong?

Shnatsel (Dec 11 2018 at 00:52, on Zulip):

I actually haven't dug into it, so can't really comment, sorry.

Shnatsel (Dec 11 2018 at 00:53, on Zulip):

I've looked through, like, a hundred github issues that day.

Alex Gaynor (Dec 11 2018 at 01:01, on Zulip):

https://github.com/RustSec/advisory-db/pull/77

Tony Arcieri (Dec 11 2018 at 16:24, on Zulip):

ok, guess we're back to the original proposed time (12:30PM PST) for the call tomorrow https://calendar.google.com/event?action=TEMPLATE&tmeid=NTE3NjdqZGpkYTM3cHI2NGIxMzBmOW9mZHIgYmFzY3VsZUBt&tmsrc=bascule%40gmail.com

Shnatsel (Dec 11 2018 at 19:29, on Zulip):

That link doesn't work. Is 12:30 PM just past noon or just past midnight?

Zach Reizner (Dec 11 2018 at 19:30, on Zulip):

Doesn't work for my either.

Tony Arcieri (Dec 11 2018 at 21:40, on Zulip):

Shnastel: just past noon PST, or 20:30 GMT (December 12th)

Zach Reizner (Dec 11 2018 at 21:41, on Zulip):

How long does the call last?

Tony Arcieri (Dec 11 2018 at 21:43, on Zulip):

I'm not sure, somewhere between a half hour to an hour I'd guess?

Tony Arcieri (Dec 11 2018 at 21:44, on Zulip):

(note I'm not really organizing this call, just relaying the information)

Shnatsel (Dec 12 2018 at 18:25, on Zulip):

@Tony Arcieri you've never shared a link to the call. Is it over hangouts, zoom, something else?

Tony Arcieri (Dec 12 2018 at 19:24, on Zulip):

it's some service I haven't used before, but at least it doesn't appear to need any native app or extension, I think? Description:https://mozilla.stpeter.im/stpeter

Shnatsel (Dec 12 2018 at 19:26, on Zulip):

That link gives me "server not found"

Tony Arcieri (Dec 12 2018 at 19:26, on Zulip):

ditto

Tony Arcieri (Dec 12 2018 at 19:27, on Zulip):

(again, not organizing this)

Tony Arcieri (Dec 12 2018 at 20:27, on Zulip):

haven't heard back yet re: the link being dead

Tony Arcieri (Dec 12 2018 at 20:30, on Zulip):

prospective hangout: https://meet.google.com/czp-rwnf-xvy

Gerardo Di Giacomo (Dec 13 2018 at 19:28, on Zulip):

is there going to be a writeup about yesterday's call?

Tony Arcieri (Dec 13 2018 at 19:58, on Zulip):

I don't think anyone took notes, unfortunately. That probably would've been a good idea.

Tony Arcieri (Dec 13 2018 at 19:59, on Zulip):

it was mostly introducing a new person to the project, and the main action item is to create a "Pre-RFC" thread on rust-internals to discuss a first-class security advisory feature in cargo

Tony Arcieri (Dec 13 2018 at 19:59, on Zulip):

which I can take... fairly soon

Tony Arcieri (Dec 13 2018 at 20:00, on Zulip):

maybe I should just go do that

Joshua Liebow-Feeser (Dec 13 2018 at 20:15, on Zulip):

Yeah, it was basically getting a new person up to speed, and then everybody agreeing that moving forward with a pre-RFC is a good idea.

Joshua Liebow-Feeser (Dec 13 2018 at 20:15, on Zulip):

I don't think anything else important was discussed.

Tony Arcieri (Dec 13 2018 at 20:47, on Zulip):

I made a thread: https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017

Shnatsel (Dec 14 2018 at 22:12, on Zulip):

I think I've just incited a lot of heated discussion in your thread: https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/7

Tony Arcieri (Dec 14 2018 at 22:19, on Zulip):

haha, hopefully! those are good issues

Gerardo Di Giacomo (Dec 14 2018 at 22:59, on Zulip):

I think I've just incited a lot of heated discussion in your thread: https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/7

how does npm handle those?

Shnatsel (Dec 14 2018 at 23:01, on Zulip):

Warns you when you run npm update and depend on vulnerable versions for which no semver-compatible upgrade is available or you froze the version. NPM actually does that pretty poorly, it had to roll out at least something because of competition from yarn

Gerardo Di Giacomo (Dec 14 2018 at 23:21, on Zulip):

but maybe it's a start and there's no really competition risk for cargo.

I think it's better to have a suboptimal solution while working on a good one than not have a solution at all until a good one is ready

Tony Arcieri (Dec 14 2018 at 23:26, on Zulip):

:wink: https://twitter.com/bascule/status/1067943488333828096

Gerardo Di Giacomo (Dec 14 2018 at 23:29, on Zulip):

I would argue that npm model is "done decent"

Shnatsel (Dec 14 2018 at 23:34, on Zulip):

npm update is a destructive command that is likely to leave your npm modules directory in a broken state due to unresolvable dependencies, so no, I cannot say that's a reasonable way to notify developers about security updates in their dependencies. Even though it's better than nothing.

Shnatsel (Dec 14 2018 at 23:36, on Zulip):

More practically, I'm not against warnings on update in cargo for issues not resolved by the update. Quite the opposite, I'm all for them. But they alone are probably not sufficient.

Gerardo Di Giacomo (Dec 14 2018 at 23:58, on Zulip):

I was mostly talking about the warnings being positive not the distructive consequences. I would find warnings extremely better than nothing, sufficient for a 1.0

Tony Arcieri (Jan 11 2019 at 02:40, on Zulip):

RustSec -> cargo crev integration:

https://github.com/RustSec/advisory-db/issues/85
https://github.com/dpc/crev/issues/149

Tony Arcieri (Jan 17 2019 at 23:59, on Zulip):

so I was just on a call GitHub organized with a focus group of people interested in vulnerability tracking

Tony Arcieri (Jan 18 2019 at 00:00, on Zulip):

it was pretty exciting. they're trying to build some first-class vulnerability tracking features, integrated into issues

Shnatsel (Jan 18 2019 at 00:05, on Zulip):

Will it require format changes for RustSec? Do we want to wait with integrating rustsec into Rust primary tooling until then?

Alex Gaynor (Jan 18 2019 at 00:12, on Zulip):

I don't think it's a replacement for RustSec no, and I wouldn't wait on it.

Shnatsel (Jan 18 2019 at 00:19, on Zulip):

I was thinking more along the lines of it feeding information into RustSec and/or being interoperable both ways

Tony Arcieri (Jan 18 2019 at 00:25, on Zulip):

@Shnatsel I have some ideas about how to dramatically simplify the official integration

Tony Arcieri (Jan 18 2019 at 00:25, on Zulip):

which would be orthogonal to changing how the advisory database is stored

Tony Arcieri (Jan 18 2019 at 00:26, on Zulip):

namely: add yanking metadata, which is generally useful, and store the RUSTEC ID with the yank event when it happens

Tony Arcieri (Jan 18 2019 at 00:26, on Zulip):

and give cargo just enough knowledge of RustSec to be able to print a warning message

Tony Arcieri (Jan 18 2019 at 00:27, on Zulip):

e.g. if you had TOML yank metadata with like

reason=security

[rustsec]
id = RUSTSEC-YYYY-DDDD

... or thereabouts, cargo could know enough to say that's a security vulnerability and print the ID

Tony Arcieri (Jan 18 2019 at 00:28, on Zulip):

but to get a full audit, you'd need to install cargo-audit (and barring anything else, cargo could just tell you to do that)

Tony Arcieri (Jan 18 2019 at 00:29, on Zulip):

that would be enough to surface warnings about security vulnerabilities, and at the same time it could also warn that you are using other yanked crates

Shnatsel (Jan 18 2019 at 00:41, on Zulip):

I'm not sure I'm sold on this idea

Tony Arcieri (Jan 18 2019 at 00:42, on Zulip):

what don't you like about it?

Tony Arcieri (Jan 18 2019 at 00:43, on Zulip):

main pro to me is: it seems... tractable

Tony Arcieri (Jan 18 2019 at 00:43, on Zulip):

and keeps RustSec decoupled from cargo

Tony Arcieri (Jan 18 2019 at 00:43, on Zulip):

it also leans on existing mechanisms/features, and adds a new feature which people were already requesting anyway

Tony Arcieri (Jan 18 2019 at 00:44, on Zulip):

we could also stick a summary/description in there, since that stuff is also useful for other yank events

Shnatsel (Jan 18 2019 at 00:57, on Zulip):

I would expect it to be more... integrated. Like, even npm has the equivalent of full cargo-audit output out of the box, and npm is not a particularly high bar to begin with. I would expect at least that from my tooling.
And I would want at least the "audit the project I'm currently working on" functionality built-in, so it would warn me on cargo build or some such. Get it in the development loop is what I'm saying.

Shnatsel (Jan 18 2019 at 01:09, on Zulip):

Actually, I also want cargo-audit to tell me whether a semver-compatible upgrade path is available or not

Shnatsel (Jan 18 2019 at 01:09, on Zulip):

I'm not sure if it does that now

briansmith (Jan 18 2019 at 01:31, on Zulip):

Why restrict it to semver-compatible? Maybe the fix is in an incompatible version.

Tony Arcieri (Jan 18 2019 at 06:17, on Zulip):

@Shnatsel that could eventually happen

Tony Arcieri (Jan 18 2019 at 06:17, on Zulip):

but the cargo yank stuff (or something equivalent) is the minimum viable thing to get into cargo

Tony Arcieri (Jan 18 2019 at 06:20, on Zulip):

associating metadata with yanks also happens to be a cargo issue that @Alex Crichton opened a few years ago: https://github.com/rust-lang/cargo/issues/2608

Tony Arcieri (Jan 18 2019 at 06:20, on Zulip):

so I think it could actually stand a reasonably good chance of getting merged if implemented

Tony Arcieri (Jan 18 2019 at 06:22, on Zulip):

he even suggested it would be useful for the purpose of security advisories

Tony Arcieri (Jan 18 2019 at 06:31, on Zulip):

I don't think it's a replacement for RustSec no, and I wouldn't wait on it.

It's hard to tell exactly what they have in mind, but it sounds like it might just be able to like... automate the manual pain points of RustSec, while keeping everything else the same, and also providing an API

Tony Arcieri (Jan 18 2019 at 06:31, on Zulip):

@Alex Gaynor ^^^ bleh I can't Zulip

Tony Arcieri (Jan 18 2019 at 06:32, on Zulip):

like, it sounds like they just want to add security vulnerability-related features to the existing issues, and potentially be able to commit some serialized version of that to a git repo

Tony Arcieri (Jan 18 2019 at 06:33, on Zulip):

so uhh, I think we just keep doing what we're doing and maybe it will magically get more automated and awesome and get an API and potentially a "push button, get CVE"

Tony Arcieri (Jan 18 2019 at 07:50, on Zulip):

wrote this all up in a bit more detail: https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/14

Shnatsel (Jan 25 2019 at 18:15, on Zulip):

Here's something related to security updates and built timestamping: https://medium.com/@flundstrom2/manage-security-vulnerabilities-in-embedded-iot-devices-with-rust-14aeabada68b

Tony Arcieri (Jan 25 2019 at 18:30, on Zulip):

nice

Tony Arcieri (Jan 25 2019 at 18:46, on Zulip):

guess these are the papers:

https://ieeexplore.ieee.org/document/8536124
https://csce.ucmss.com/cr/books/2018/LFS/CSREA2018/SER3572.pdf

Tony Arcieri (Jan 25 2019 at 18:47, on Zulip):

IEEE one unfortunately paywalled :cry:

Gerardo Di Giacomo (Jan 25 2019 at 20:56, on Zulip):

has anyone tried cargo crev?

Gerardo Di Giacomo (Jan 25 2019 at 21:01, on Zulip):

I just tried to install it via cargo, doesn't even compile

Tony Arcieri (Jan 26 2019 at 15:39, on Zulip):

I installed it but... wasn't able to figure out to actually make use of it other than submitting reviews. It does seem to have an active community though.

Shnatsel (Jan 27 2019 at 13:31, on Zulip):

Try filing a bug about what you couldn't figure out. It can be hard to figure out what docs you're missing when you're a developer

Gerardo Di Giacomo (Feb 26 2019 at 17:23, on Zulip):

https://arxiv.org/pdf/1902.09217.pdf

Shnatsel (Mar 02 2019 at 14:19, on Zulip):

https://arxiv.org/pdf/1902.09217.pdf

:point_up: this is a study of npm package hierarchy, their maintenance status, and how many accounts you need to compromise to get malicious code in the majority of packages. The situation is about as bad as you'd expect. Mitigation techniques and their potential effectiveness are also discussed. This could be valuable info for preventing the same on crates.io

Shnatsel (Mar 02 2019 at 14:19, on Zulip):

Also, here's another bug that should have got a RustSec entry, but didn't: https://github.com/nabijaczleweli/safe-transmute-rs/pull/36

Alex Gaynor (Mar 02 2019 at 14:43, on Zulip):

It's not too late to issue one!

Tony Arcieri (Mar 02 2019 at 15:12, on Zulip):

indeed. while we're yet to get our first 2019 RustSec advisory, in 2019 I've merged two retroactive ones for 2018

Tony Arcieri (Mar 02 2019 at 15:13, on Zulip):

err maybe it was just one, but still

Shnatsel (Mar 02 2019 at 15:51, on Zulip):

I've commented on the pull request

Shnatsel (Mar 02 2019 at 17:52, on Zulip):

Aaand the advisory is merged created: https://github.com/RustSec/advisory-db/pull/89

Gerardo Di Giacomo (Mar 02 2019 at 19:17, on Zulip):

This could be valuable info for preventing the same on crates.io

that's the reason why I shared it :)

Tony Arcieri (May 13 2019 at 15:38, on Zulip):

https://twitter.com/RustSec/status/1127960863271374853

Tony Arcieri (May 13 2019 at 15:38, on Zulip):

welp

Tony Arcieri (May 13 2019 at 15:38, on Zulip):

might be time to think about getting those into RustSec proper again

Gerardo Di Giacomo (May 13 2019 at 18:19, on Zulip):

https://crates.parity.io/src/protobuf/core.rs.html#144 is this vulnerable?

Gerardo Di Giacomo (May 13 2019 at 18:20, on Zulip):

btw, there's another protobuf bug (OOM) that is fixed in master but not shipped in the latest version: https://github.com/stepancheg/rust-protobuf/commit/66a22c88d7efb762a7e2390f2bfdb275c199434c#diff-03da03412d4490720c45da0a6f43d56cR640

Tony Arcieri (May 14 2019 at 14:56, on Zulip):

I think the vuln was specifically related to Error

Tony Arcieri (May 14 2019 at 14:56, on Zulip):

although ugh @ the protobuf crate stuff

Tony Arcieri (May 14 2019 at 14:56, on Zulip):

/me happily switched to Prost some time ago

Alex Gaynor (May 14 2019 at 22:20, on Zulip):

I think that definition of type_id is corret?

Tony Arcieri (Jun 09 2019 at 15:43, on Zulip):

fun times with format injection https://github.com/RustSec/advisory-db/issues/106

Tony Arcieri (Jun 18 2019 at 00:20, on Zulip):

thinking about filing a blanket RustSec advisory for this crate: https://crates.io/crates/aes-frast

Tony Arcieri (Jun 18 2019 at 00:20, on Zulip):

NOT for Serious Usage

Tony Arcieri (Jun 18 2019 at 00:21, on Zulip):

The AES algorithm is implemented by looking-up-tables.

Tony Arcieri (Jun 18 2019 at 00:21, on Zulip):

seems bad

Tony Arcieri (Jun 18 2019 at 00:22, on Zulip):

has a few downstream dependencies https://crates.io/crates/aes-frast/reverse_dependencies

brycx (Jun 18 2019 at 07:55, on Zulip):

He does explicitly mention timing-attacks are out-of-scope for the lib, so I don't know if it is applicable for an advisory:

However, this lib assumes that the computers which run the lib are secure and users of this lib have done something to avoid the timing problems. Usages like file encryption may be suitable.

An advisory would make clear that the following is an actual security issue and not just something some "researches" have talked about:

some researches have reported that there could be timing problems in looking-up-tables implement.

I guess people who don't know what timing-attacks encompass, would benefit more from reading a security advisory than to make decisions based on the README's security section.

Tony Arcieri (Jun 18 2019 at 15:02, on Zulip):

yeah, I can see both sides to filing or not filing an advisory

Tony Arcieri (Jun 18 2019 at 15:03, on Zulip):

but I'm not sure the author declaring a table takes security property of a cryptography library as out of scope actually makes it out of scope

brycx (Jun 18 2019 at 17:58, on Zulip):

True as well. TBH I'm leaning more to the filing of an advisory, purely based on the README's "could be timing problems in looking-up-tables implement". Just to make clear that the "could" should be "are".

brycx (Jun 18 2019 at 18:01, on Zulip):

Again, if people don't do their due diligence they might just think "oh there 'could' be. If there were he'd say so"

Zach Reizner (Jun 18 2019 at 19:22, on Zulip):

Note that any crate that makes use of it will also get caught up in the advisory in the crates auditor

Tony Arcieri (Jun 18 2019 at 20:01, on Zulip):

It presently has two downstream dependencies. They're what I'm actually concerned about, as they seem to be using it for "Serious Usage"

Tony Arcieri (Jun 18 2019 at 20:01, on Zulip):

https://crates.io/crates/sardine

Tony Arcieri (Jun 18 2019 at 20:02, on Zulip):

https://crates.io/crates/deploy-common

Shnatsel (Jun 20 2019 at 09:40, on Zulip):

I suppose cargo-crev would be the best place to put info like this

Shnatsel (Jun 20 2019 at 14:33, on Zulip):

Do you want to post about these on Reddit to give more visibility to the RustSec and pressure people into fixing their crates? That worked for me last time.

Tony Arcieri (Jun 20 2019 at 15:06, on Zulip):

that's a good idea

Shnatsel (Jun 20 2019 at 15:12, on Zulip):

Fun fact: once I saw those vulnerabilities I understood why Rust has this weird FormatArgs struct

Shnatsel (Jun 28 2019 at 16:35, on Zulip):

Hey look, RustSec's got another client: https://www.reddit.com/r/rust/comments/c6jryy/opensource_scanner_for_vulnerabilities_in_rust/

Tony Arcieri (Jul 01 2019 at 16:31, on Zulip):

err, what?

Tony Arcieri (Jul 01 2019 at 16:48, on Zulip):

lol it does actually use the RustSec vulnerability database? https://github.com/FiroSolutions/cifiro

Shnatsel (Jul 02 2019 at 20:48, on Zulip):

Yeah it does. Speaking of which, https://github.com/RustSec/advisory-db/pull/119 has been outstanding for a few days, any reason not to merge it?

Tony Arcieri (Jul 02 2019 at 20:49, on Zulip):

no sorry, trying to cut a release of something else here and didn't get around to reviewing it yet. let me take a look

Tony Arcieri (Jul 02 2019 at 20:50, on Zulip):

err, I guess you left the comments in :stuck_out_tongue_wink: remove them and it should be good

Tony Arcieri (Jul 02 2019 at 21:12, on Zulip):

looks good now. except Travis CI is a million years behind, I assume due to a giant spike in their queue from jobs that hit Cloudflare for stuff, which seems to be anything related to JavaScript

Shnatsel (Jul 03 2019 at 11:23, on Zulip):

Hey look, dependabot also uses rustsec database: https://github.com/coreos/afterburn/pull/239
Not sure how useful that is in the current form, but it is precedent for bothering people on github about vulnerabilities in their dependencies.

Tony Arcieri (Jul 03 2019 at 13:54, on Zulip):

on the one hand, it was cool to see Dependabot update a codebase I released yesterday. Unfortunately, it added a ton of dependencies accidentally and nobody noticed :scream:

Tony Arcieri (Jul 03 2019 at 13:55, on Zulip):

I'm a bit torn on that whole thing

Alex Gaynor (Jul 03 2019 at 14:00, on Zulip):

Now that github owns dependabot and people can get it for free, I think it's even more valuable

Gerardo Di Giacomo (Jul 09 2019 at 22:18, on Zulip):

how does dependabot behave if there's no Cargo.lock checked-in?

Alex Gaynor (Jul 09 2019 at 22:18, on Zulip):

It'll update Cargo.toml pins I think

Gerardo Di Giacomo (Jul 09 2019 at 22:19, on Zulip):

ah yes I see in https://dependabot.com/rust/

Tony Arcieri (Jul 22 2019 at 15:37, on Zulip):

wonder if I should yank some of the older versions of cargo-audit that have false positives for memoffset

Tony Arcieri (Jul 22 2019 at 15:38, on Zulip):

I just tried to respond to one I noticed and now GitHub is giving me 500s

Shnatsel (Jul 22 2019 at 18:19, on Zulip):

I think yanking is too extreme

Tony Arcieri (Jul 22 2019 at 18:27, on Zulip):

I guess I could file a pseudo-advisory against itself

Shnatsel (Jul 22 2019 at 18:29, on Zulip):

it's not a security issue, what are you talking about

Tony Arcieri (Jul 22 2019 at 18:29, on Zulip):

people aren't upgrading

Tony Arcieri (Jul 22 2019 at 18:29, on Zulip):

and they keep opening issues

Tony Arcieri (Jul 22 2019 at 18:29, on Zulip):

because they aren't upgrading

Tony Arcieri (Jul 22 2019 at 18:29, on Zulip):

and the old versions have bugs

Tony Arcieri (Jul 22 2019 at 18:29, on Zulip):

the bugs create false positives, and people are very confused why

Tony Arcieri (Jul 22 2019 at 18:29, on Zulip):

I am worried they might churn from using the tool if they can't figure out what the problem is

Shnatsel (Jul 22 2019 at 18:41, on Zulip):

yanking will not make people upgrade

Shnatsel (Jul 22 2019 at 18:41, on Zulip):

there is literally no way in Cargo to distribute updates, not even security updates

Shnatsel (Jul 22 2019 at 18:42, on Zulip):

It's this weird mix of "use the latest suitable version" when compiling and then sort of "use the oldest suitable version" when installing? At least Go is consistent in always using the oldest suitable version.

Tony Arcieri (Jul 22 2019 at 18:43, on Zulip):

yeah, a big part of the problem here is Docker too... people have some ancient Docker image with a buggy cargo-audit

Tony Arcieri (Jul 22 2019 at 18:43, on Zulip):

I have no idea how yanking affects cargo install

Tony Arcieri (Aug 26 2019 at 15:02, on Zulip):

/me sees old comment, responds to himself "yes you do, Tony" :stuck_out_tongue_wink:

Tony Arcieri (Aug 26 2019 at 15:02, on Zulip):

but uhh

Tony Arcieri (Aug 26 2019 at 15:02, on Zulip):

on a completely different note, here's a fun one: https://github.com/RustSec/advisory-db/pull/131

Tony Arcieri (Aug 26 2019 at 15:02, on Zulip):

a RustSec advisory for vulnerable example code

Alex Gaynor (Aug 26 2019 at 18:30, on Zulip):

Hmm, I'm not sure it deserves an advisory.

Tony Arcieri (Aug 27 2019 at 04:40, on Zulip):

FYI, trying to fix prerelease handling: https://github.com/RustSec/rustsec-crate/pull/69

Shnatsel (Aug 27 2019 at 19:11, on Zulip):

Wow, what a rabbit hole

ctz (Aug 27 2019 at 19:22, on Zulip):

Hmm, I'm not sure it deserves an advisory.

Well, I agree. I filed it because someone decided to allocate a CVE. Not totally sure who or why because I didn't get contacted separately

Tony Arcieri (Aug 27 2019 at 19:47, on Zulip):

@Shnatsel haha, seriously. I think it should be good now

Tony Arcieri (Aug 27 2019 at 19:47, on Zulip):

this one's gonna be ugly: https://github.com/RustSec/advisory-db/pull/132

Shnatsel (Aug 27 2019 at 19:48, on Zulip):

Why?

Tony Arcieri (Aug 27 2019 at 19:49, on Zulip):

widespread usage as a dependency

Tony Arcieri (Aug 27 2019 at 19:49, on Zulip):

for e.g. ring

Tony Arcieri (Aug 27 2019 at 23:22, on Zulip):

welp https://github.com/RustSec/cvss.rs

briansmith (Aug 28 2019 at 03:41, on Zulip):

Very annoying because it seems like it doesn't affect ring at all. If it does then there would still be an active bug in code that the PR doesn't touch. See https://github.com/RustSec/advisory-db/pull/132#discussion_r318379927.

briansmith (Aug 28 2019 at 03:42, on Zulip):

The bigger issue is that the author of spin-rs indicated he doesn't have time to work on it anymore. Now I'll be looking for a #![no_std] replacement for spin::Once. Any suggestions?

briansmith (Aug 28 2019 at 03:44, on Zulip):

Note that spin-rs was too eager to call spin_loop_hint anyway, so there are potentially perf reasons to use something else too.

Tony Arcieri (Aug 28 2019 at 04:16, on Zulip):

@briansmith oof

Tony Arcieri (Aug 28 2019 at 04:18, on Zulip):

reminds me of https://github.com/Stebalien/term/issues/93

Tony Arcieri (Aug 28 2019 at 04:18, on Zulip):

seems like there's some huge ecosystem risk in these ubiquitously used core infrastructure crates going unmaintained

Tony Arcieri (Aug 28 2019 at 04:18, on Zulip):

and potential for software supply chain attacks...

RalfJ (Aug 28 2019 at 07:36, on Zulip):

seems like there's some huge ecosystem risk in these ubiquitously used core infrastructure crates going unmaintained

spin-rs was still rather young, wasn't it? I was quite surprised (and worried) by how quickly it seemed to appear as dependency of core crates like lazy_static

RalfJ (Aug 28 2019 at 07:36, on Zulip):

(not that that even is a good idea, see https://github.com/rust-lang-nursery/lazy-static.rs/issues/150)

RalfJ (Aug 28 2019 at 07:37, on Zulip):

The race for #[no_std] has some quite negative effects on overall ecosystem reliability, it seems :/

RalfJ (Aug 28 2019 at 07:40, on Zulip):

I wish, when it comes to things like synchronization, that at least libstd things would be used where possible and the less reviewed fallbacks are only used when necessary... but spin-rs always uses its own code, even when running on systems where much better alternatives exist (e.g. parking_lot)

briansmith (Aug 28 2019 at 07:56, on Zulip):

For the most part, that's what I'm doing, only using spin directly when necessary. However, IIRC, the design of lazy_static w.r.t. its no_std support is broken: If you enable its no_std support then it will use spin even when std is available, and there's no way to sometimes use std and other times use spin depending on the context (sometimes it matters).

briansmith (Aug 28 2019 at 07:57, on Zulip):

Using parking_lot is a non-starter for me--it's not #[no_std] and so not much advantage over libstd. https://github.com/rust-lang/rust/pull/56410 has been in progress for almost a year with no end in sight.

briansmith (Aug 28 2019 at 07:59, on Zulip):

I would suggest that something like spin::Once should be in libcore or similar (maybe something analogous to the alloc crate for synchronization primitives), and I would even submit a PR to do it and/or an RFC, if there was some assurance that it wouldn't drag on for more than 3 months. But it looks like a multi-year project.

RalfJ (Aug 28 2019 at 11:48, on Zulip):

doing blocking isn't simple, IMO. if you have OS facilities available, you certainly don't want to spin while whoever has the lock is calling open...

RalfJ (Aug 28 2019 at 11:51, on Zulip):

not sure what the best design for this is. maybe something like allocators: there's a global "blocking" primitive (similar to what parking_lot has), and then Once can live in core and rely on that blocking primitive, and libstd can provide the blocking primitive, and no_std environments can provide their own.

RalfJ (Aug 28 2019 at 11:51, on Zulip):

IOW, you basically want thread::park/unpark. parking_lot's API is more complicated for performance reasons, but AFAIK the gist is the same.

RalfJ (Aug 28 2019 at 11:52, on Zulip):

not doing anything and returning immediately is a correct implementation of thread::park/unpark, so there's a trivial thing to do for bare metal code

Tony Arcieri (Aug 28 2019 at 16:34, on Zulip):

/me wishes Rust had first class support for lazy statics as opposed to a macro...

Tony Arcieri (Aug 28 2019 at 16:34, on Zulip):

a macro really makes them feel half-finished

Tony Arcieri (Aug 28 2019 at 16:35, on Zulip):

see also https://internals.rust-lang.org/t/allow-non-const-statics/10676

Tony Arcieri (Aug 28 2019 at 16:36, on Zulip):

on a completely unrelated note...

Tony Arcieri (Aug 28 2019 at 16:36, on Zulip):

the docs for the cvss crate finally rendered https://docs.rs/cvss/0.2.0/cvss/v3/base/av/enum.AttackVector.html

Tony Arcieri (Aug 28 2019 at 16:45, on Zulip):

guess I'll merge and announce the spin vulnerability

Tony Arcieri (Aug 28 2019 at 16:45, on Zulip):

brace for impact

Tony Arcieri (Aug 28 2019 at 17:36, on Zulip):

pushing the button...

Tony Arcieri (Aug 28 2019 at 17:43, on Zulip):

it's up. will tweet https://rustsec.org/advisories/RUSTSEC-2019-0013.html

Tony Arcieri (Aug 28 2019 at 17:54, on Zulip):

hopefully this helps re: spin false positives https://twitter.com/RustSec/status/1166770956095746048

Stuart Small (Aug 28 2019 at 18:22, on Zulip):

Someone in another chat I'm in brought up rustsec is blocked by their virus scan, sophos. I'm opening a support ticket to get it re-evaluated

Tony Arcieri (Aug 28 2019 at 18:25, on Zulip):

huh, how'd they install it? and wouldn't that impact other Rust apps?

Stuart Small (Aug 28 2019 at 18:27, on Zulip):

It is some crappy endpoint software. Looks like it lets the org set rules on categories of sites they can visit. It's probably just a mistake on the endpoint software's categorization. It doesn't sound like he has issues with other rust sites

Tony Arcieri (Aug 28 2019 at 18:28, on Zulip):

oh weird, it flagged https://rustsec.org ?

Tony Arcieri (Aug 28 2019 at 18:29, on Zulip):

maybe a false positive triggered by all the scary wording about vulnerabilities :wink:

Stuart Small (Aug 28 2019 at 18:29, on Zulip):

That's what I thought until he shared a screenshot saying it was because swimwear and other inappropriate swimwear.

Stuart Small (Aug 28 2019 at 18:30, on Zulip):

Stupid sexy ferris

Stuart Small (Aug 28 2019 at 18:30, on Zulip):

Either way, ticket is in with the vendor but figured you might want to know in case other users have issues.

Tony Arcieri (Aug 28 2019 at 19:46, on Zulip):

FYI, just added (optional) CVSS v3 scores to RustSec advisories: https://github.com/RustSec/rustsec-crate/pull/72

Tony Arcieri (Aug 28 2019 at 19:47, on Zulip):

we need them to file CVEs anyway, and it provides a path to severity filtering: https://docs.rs/cvss/0.2.0/cvss/severity/enum.Severity.html

Tony Arcieri (Aug 28 2019 at 19:47, on Zulip):

also trying to do some (backwards compatible) sprucing up of the advisory format and rustsec crate in general: https://github.com/RustSec/rustsec-crate/pull/73

Tony Arcieri (Aug 28 2019 at 19:47, on Zulip):

splitting out [affected] and [versions] sections

Tony Arcieri (Aug 29 2019 at 02:54, on Zulip):

#cratesineverwantedtowritebutdid https://github.com/RustSec/cvss.rs

Tony Arcieri (Aug 29 2019 at 05:09, on Zulip):

will make a separate stream for it

RalfJ (Aug 29 2019 at 06:53, on Zulip):

That's what I thought until he shared a screenshot saying it was because swimwear and other inappropriate apparel.

swimwear is inappropriate? do they propose we bath naked? :P

Tony Arcieri (Aug 29 2019 at 14:28, on Zulip):

FYI, a PR to add categories to RustSec advisories, based on our criteria for which vulnerability categories are allowed https://github.com/RustSec/rustsec-crate/pull/74

Shnatsel (Aug 31 2019 at 19:05, on Zulip):

I'm prodding people fixing unsoundness to file RustSec advisories again. I'll post issues/PRs where I do that so that if nothing comes out of them after a week or so we can do that ourselves:

https://github.com/image-rs/image/pull/985
https://github.com/tomprogrammer/rust-ascii/issues/64
https://github.com/Robbepop/string-interner/issues/9
more to come

Shnatsel (Aug 31 2019 at 20:00, on Zulip):

Wow, that's a LONG list and I'm still not done

Shnatsel (Aug 31 2019 at 20:10, on Zulip):

Okay I'm done. I've looked for the first 15 pages of "unsound" in Rust code on Github in issues and PRs when ordered by relevance.
Not looking at other keywords like "segfault" at this time.

Tony Arcieri (Aug 31 2019 at 20:23, on Zulip):

:scream:

Shnatsel (Aug 31 2019 at 20:38, on Zulip):

Maybe we should make a habit of posting every advisory on Reddit to promote RustSec. So many vulns go unreported otherwise.

Shnatsel (Aug 31 2019 at 20:44, on Zulip):

@Tony Arcieri I've noticed that I do not have permission to merge RustSec pull requests. Is that intentional?

Tony Arcieri (Aug 31 2019 at 20:45, on Zulip):

no, I just haven't done a proper team setup

Tony Arcieri (Aug 31 2019 at 20:45, on Zulip):

also wish we had GitHub Actions to automate this stuff. I should bug some people at GitHub about it

Shnatsel (Sep 01 2019 at 13:04, on Zulip):

Not sure what github actions are, but I could probably throw together a shell script to do that in 20 minutes or so

Tony Arcieri (Sep 01 2019 at 15:36, on Zulip):

haha uhh, I'd rather have something extensible/maintainable :stuck_out_tongue_wink:

Tony Arcieri (Sep 01 2019 at 15:37, on Zulip):

something I've been thinking about doing is moving the Rust app that's presently in the advisory-db repo out into a separate CLI tool for performing administrative actions

Tony Arcieri (Sep 01 2019 at 15:39, on Zulip):

the other challenge is... credentials, if we want it to tweet, post to Reddit, etc

Tony Arcieri (Sep 02 2019 at 02:02, on Zulip):

finally filing std vulns: https://github.com/RustSec/advisory-db/pull/146

Tony Arcieri (Sep 04 2019 at 16:55, on Zulip):

oh boy https://github.com/RustSec/advisory-db/pull/149/files

Shnatsel (Sep 08 2019 at 08:53, on Zulip):

Aaand RustSec is now popular enough to be mentioned in memes: https://www.reddit.com/r/rustjerk/comments/d1716z/bad_unsafe_meme/

Tony Arcieri (Sep 08 2019 at 18:54, on Zulip):

hah

Tony Arcieri (Sep 08 2019 at 18:55, on Zulip):

well I'm about ready to release rustsec crate v0.13

Tony Arcieri (Sep 08 2019 at 18:55, on Zulip):

just hooked it up to the web site generator and it spat out pages for the std vulns: https://rustsec.org/advisories/CVE-2019-12083.html

Tony Arcieri (Sep 08 2019 at 18:57, on Zulip):

it's also displaying inverse dependency trees for the crates impacted by particular advisories ala cargo-tree:

Tony Arcieri (Sep 08 2019 at 18:57, on Zulip):

pasted image

Tony Arcieri (Sep 08 2019 at 18:57, on Zulip):

sadly there doesn't appear to be a good resolution for that one other than opening upstream issues or just hitting the API directly :cry:

RalfJ (Sep 16 2019 at 11:26, on Zulip):

Aaand RustSec is now popular enough to be mentioned in memes: https://www.reddit.com/r/rustjerk/comments/d1716z/bad_unsafe_meme/

it mentions Miri too <3

RalfJ (Sep 16 2019 at 11:31, on Zulip):

oh boy https://github.com/RustSec/advisory-db/pull/149/files

I am confused now... so we are filing advisories now for "de jure UB" without a known exploitatability?
(Last time I asked, the answer I got was "generally no")

RalfJ (Sep 16 2019 at 11:33, on Zulip):

(not to mention that ptr provenance rules are still not set down, so it's at best "experimental de jure UB")

RalfJ (Sep 17 2019 at 06:17, on Zulip):

ah, it hasn't been merged yet

Tony Arcieri (Sep 18 2019 at 16:28, on Zulip):

I suggested not merging that one

Tony Arcieri (Sep 23 2019 at 15:41, on Zulip):

FYI, just cut a release of the rustsec crate v0.13.0: https://github.com/RustSec/rustsec-crate/pull/103

Tony Arcieri (Sep 23 2019 at 15:41, on Zulip):

lots of new stuff

Tony Arcieri (Sep 23 2019 at 15:42, on Zulip):

@nikomatsakis another thing we could potentially contribute a Team Blog post for is the next release of cargo-audit and the new features it will have. I don't think there's ever been a blog post about RustSec at all, so it'd be a good way to raise awareness

Shnatsel (Sep 23 2019 at 22:01, on Zulip):

Why are we not posting to Reddit for every new advisory anymore? We should.

Shnatsel (Sep 23 2019 at 22:01, on Zulip):

Also before I subscribed to RustSec repos I never appreciated how much work goes into RustSec

Tony Arcieri (Sep 23 2019 at 23:15, on Zulip):

anymore? I haven't done that in the past but it's a good idea

Tony Arcieri (Sep 24 2019 at 14:48, on Zulip):

cargo-audit v0.9.0-beta2 is out: https://crates.io/crates/cargo-audit/0.9.0-beta2

Tony Arcieri (Sep 24 2019 at 14:49, on Zulip):

would appreciate if people could test it out a bit, otherwise I think it's ready to go

Stuart Small (Sep 24 2019 at 14:55, on Zulip):

What's new in this version? It'll help in testing

Tony Arcieri (Sep 24 2019 at 15:00, on Zulip):

a number of features that aren't utilized yet, and a bunch of internal changes. but if you want something fancy you can see, check out the dependency trees

Tony Arcieri (Sep 24 2019 at 15:00, on Zulip):

Screen-Shot-2019-09-24-at-7.50.11-AM.png

Tony Arcieri (Sep 24 2019 at 15:01, on Zulip):

need to put together a proper changelog :wink:

Shnatsel (Sep 24 2019 at 21:02, on Zulip):

I think cargo-geiger and cargo-tree have basically the exact same thing... good opportunity for code sharing there

Tony Arcieri (Sep 24 2019 at 21:30, on Zulip):

the tree-rendering code that uses is a minification of cargo-tree that works on a Cargo.lock file rather than... well cargo-tree does a rather extensive analysis from Cargo.toml

Tony Arcieri (Sep 24 2019 at 21:31, on Zulip):

based on petgraph, also ala cargo-tree

Tony Arcieri (Sep 24 2019 at 21:32, on Zulip):

https://github.com/RustSec/cargo-lock/blob/master/src/dependency/tree.rs

Tony Arcieri (Sep 25 2019 at 19:35, on Zulip):

cargo-audit v0.9.0 is out https://twitter.com/RustSec/status/1176936445698691072

Thom Chiovoloni (Sep 25 2019 at 23:42, on Zulip):

Ah, that explains why we suddenly started getting stack overflows when running cargo audit lol https://circleci.com/gh/mozilla/application-services/31924?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link (I'll file a bug about this tomorrow)

Tony Arcieri (Sep 25 2019 at 23:53, on Zulip):

haha, yeah a few bugs :wink:

Thom Chiovoloni (Sep 25 2019 at 23:55, on Zulip):

Ended up filing it now: https://github.com/RustSec/cargo-audit/issues/133

Tony Arcieri (Sep 26 2019 at 00:08, on Zulip):

@Thom Chiovoloni reproed, thanks

Tony Arcieri (Sep 26 2019 at 02:46, on Zulip):

@Thom Chiovoloni I just released v0.9.1. Can you tell me if that fixes the problem? It did for me locally

Thom Chiovoloni (Sep 26 2019 at 14:08, on Zulip):

Seems to work, thanks

Tony Arcieri (Sep 30 2019 at 17:49, on Zulip):

this seems like the sort of vulnerability where it'd be nice if cargo-audit warned that you have a vulnerable version of the compiler activated: https://rustsec.org/advisories/CVE-2019-16760.html

Tony Arcieri (Oct 02 2019 at 18:28, on Zulip):

https://github.com/RustSec/advisory-db/issues/173

Tony Arcieri (Oct 02 2019 at 18:28, on Zulip):

"File informational advisories for unmaintained crates "

Tony Arcieri (Oct 03 2019 at 16:10, on Zulip):

I opened a PR with a blog post about cargo-audit v0.9 if anyone would like to read it over before we publish it:

PR: https://github.com/rust-lang/blog.rust-lang.org/pull/412
Rendered: https://github.com/rust-lang/blog.rust-lang.org/blob/bc83123b66940c3da405a7c9b6110c55987c6832/posts/inside-rust/2019-10-03-Keeping-secure-with-cargo-audit-0.9.md

Tony Arcieri (Oct 03 2019 at 16:39, on Zulip):

nm I guess it's already up! :sweat_smile: https://blog.rust-lang.org/inside-rust/2019/10/03/Keeping-secure-with-cargo-audit-0.9.html

Tony Arcieri (Oct 05 2019 at 16:41, on Zulip):

Screen-Shot-2019-10-05-at-9.41.00-AM.png

Tony Arcieri (Oct 05 2019 at 16:41, on Zulip):

blog post seems to have succeeded in increasing downloads :tada:

Shnatsel (Oct 06 2019 at 18:03, on Zulip):

We already have an advisory for ncurses crate (https://github.com/RustSec/advisory-db/pull/107) because of format string vulnerabilities, but I've recently learned that nearly every single function in it is broken (https://github.com/jeaye/ncurses-rs/issues/188). Should I file another advisory saying "EVERYTHING EXPLODES"?

Thom Chiovoloni (Oct 07 2019 at 15:50, on Zulip):

Yeah, the reason I didn't fix the specific issues in the ncurses crate (e.g. filing a PR that marked the clearly-never-sound-to-use parts of the API as unsafe) when i filed the advisory is because basically every rtime i stared for more than a few minutes at its fucntions i'd find new problems

Tony Arcieri (Oct 07 2019 at 18:40, on Zulip):

hahaha

Tony Arcieri (Oct 09 2019 at 18:40, on Zulip):

Neat: https://github.com/actions-rs/audit-check/

Shnatsel (Oct 09 2019 at 23:29, on Zulip):

RustSec advisories for unmaintained crates are getting attention now: https://github.com/image-rs/image-png/blob/edcf8b07a355159fe69248aeb757cc48f212cf41/png-afl/src/main.rs#L6

Tony Arcieri (Oct 09 2019 at 23:30, on Zulip):

err, is that the right link?

Shnatsel (Oct 09 2019 at 23:30, on Zulip):

It is now!

Tony Arcieri (Oct 09 2019 at 23:31, on Zulip):

haha nice!

Shnatsel (Oct 12 2019 at 18:39, on Zulip):

Another rustsec-based tool: https://www.reddit.com/r/rust/comments/dgz1ci/announcing_cargoaudittags/

Tony Arcieri (Oct 12 2019 at 19:45, on Zulip):

nice. also here's someone who posted a vuln to Reddit https://www.reddit.com/r/rust/comments/dguqt3/vulnerability_in_sodiumoxide_generichashdigesteq/

DPC (Oct 12 2019 at 20:24, on Zulip):

Is there a plan to take over rust-crypto? I could form a team unrelated to this wg that could maintain it

Tony Arcieri (Oct 12 2019 at 20:36, on Zulip):

personally I'd rather just let it die and be replaced by modern alternatives

Tony Arcieri (Oct 12 2019 at 20:38, on Zulip):

it has so many issues, both as a legacy pre Rust 1.0 codebase, and just in terms of its overall design (and violating the CryptoCoding design principles like separating safe crypto APIs from "shoot yourself in the foot" APIs) I'd consider it fairly unsalvagable

Tony Arcieri (Oct 12 2019 at 20:40, on Zulip):

https://arxiv.org/pdf/1806.04929.pdf

Tony Arcieri (Oct 12 2019 at 20:41, on Zulip):

see section 6 in particular

Tony Arcieri (Oct 12 2019 at 20:41, on Zulip):

things like this:

Tony Arcieri (Oct 12 2019 at 20:41, on Zulip):

11) Hide low-level APIs in a separate API layer called
"hazardous materials". By naming it like this, developers take notice that they might be doing something
dangerous.

DPC (Oct 12 2019 at 20:57, on Zulip):

Ah makes sense. Better then to spend efforts on going through it's reverse dependencies and suggesting them alternatives. Thanks

Tony Arcieri (Oct 12 2019 at 21:59, on Zulip):

yup! and hopefully the unmaintained crate advisory helps that process happen organically

Tony Arcieri (Oct 19 2019 at 20:16, on Zulip):

just noticed cargo-audit is the #1 cargo plugin by recent downloads https://crates.io/categories/development-tools::cargo-plugins

Tony Arcieri (Oct 19 2019 at 20:16, on Zulip):

#4 by all-time downloads

Tony Arcieri (Oct 23 2019 at 15:34, on Zulip):

https://github.com/abonander/safemem/issues/7

Tony Arcieri (Oct 23 2019 at 15:36, on Zulip):

WDYT re: an advisory? I'm leaning towards yes, although I'm a little unclear on exploitability

Thom Chiovoloni (Oct 23 2019 at 17:14, on Zulip):

This allows access to an uninitialized &[T] where T: Copy? Not sure, that doesn't feel exploitable at all to me.

Tony Arcieri (Oct 23 2019 at 17:21, on Zulip):

here's the actual advisory PR if anyone wants to leave a comment: https://github.com/RustSec/advisory-db/pull/198

Tony Arcieri (Oct 23 2019 at 17:21, on Zulip):

@RalfJ @Shnatsel any thoughts on ^^^ ?

Tony Arcieri (Oct 23 2019 at 17:21, on Zulip):

or @Alex Gaynor

Tony Arcieri (Oct 23 2019 at 18:29, on Zulip):

thanks for looking @RalfJ

Tony Arcieri (Oct 24 2019 at 21:07, on Zulip):

https://twitter.com/naftulikay/status/1187128722664517632

Tony Arcieri (Oct 24 2019 at 21:08, on Zulip):

@Alex Gaynor ^^^ seems like the best way to fix Travis CI

Tony Arcieri (Oct 24 2019 at 21:08, on Zulip):

and ooh https://twitter.com/fedor/status/1187178265464791040

Alex Gaynor (Oct 25 2019 at 03:47, on Zulip):

That'd definitely be a neat solution.

Tony Arcieri (Oct 25 2019 at 04:50, on Zulip):

jrdhlvuvinrkuibnirfbunlnvbbegvbhrbehjngnugct

Tony Arcieri (Oct 27 2019 at 19:53, on Zulip):

heh, there are now two (more or less competing) PRs for a cargo audit fix command

Tony Arcieri (Oct 27 2019 at 19:53, on Zulip):

which more or less take the same strategy: pull in cargo-edit as a library

Alex Gaynor (Oct 27 2019 at 19:54, on Zulip):

Neat. It seems like a pretty sensible strategy

Tony Arcieri (Oct 27 2019 at 19:54, on Zulip):

yeah, and we can put it under a fix feature or something if people want faster compile times

Tony Arcieri (Oct 27 2019 at 19:56, on Zulip):

it's kind of cool, I think they both implement the minimum viable KISS solution to upgrade the project: take the fixed version req and tell cargo-edit "upgrade to that"

Tony Arcieri (Oct 27 2019 at 19:57, on Zulip):

which should... hopefully pull in the most recent version that's compatible

Tony Arcieri (Oct 27 2019 at 19:57, on Zulip):

and implementation-wise they're both tiny

Last update: Nov 11 2019 at 22:00UTC