Regression: RUSTSEC-2018-0007 triggers error for trust-dns-proto 0.20.0-alpha.3

[djc]

Describe the bug

In my CI run just now, I had this failure:

error[A001]: Stack overflow when parsing malicious DNS packet
    ┌─ /github/workspace/Cargo.lock:218:1
    │
218 │ trust-dns-proto 0.20.0-alpha.3 registry+https://github.com/rust-lang/crates.io-index
    │ ------------------------------------------------------------------------------------ security vulnerability detected
    │
    = ID: RUSTSEC-2018-0007
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2018-0007
    = There's a stack overflow leading to a crash when Trust-DNS's parses a
      malicious DNS packet.
      
      Affected versions of this crate did not properly handle parsing of DNS message
      compression (RFC1035 section 4.1.4). The parser could be tricked into infinite
      loop when a compression offset pointed back to the same domain name to be
      parsed.
      
      This allows an attacker to craft a malicious DNS packet which when consumed
      with Trust-DNS could cause stack overflow and crash the affected software.
      
      The flaw was corrected by trust-dns-proto 0.4.3 and upcoming 0.5.0 release.
    = Solution: Upgrade to >=0.4.3 OR >=0.5.0-alpha.3
    = trust-dns-proto v0.20.0-alpha.3
      ├── trust-dns-https v0.20.0-alpha.3
      │   └── trust-dns-resolver v0.20.0-alpha.3
      │       ├── nominl v0.1.0
      │       └── tools v0.1.0
      ├── trust-dns-resolver v0.20.0-alpha.3 (*)
      └── trust-dns-rustls v0.20.0-alpha.3
          ├── trust-dns-https v0.20.0-alpha.3 (*)
          └── trust-dns-resolver v0.20.0-alpha.3 (*)

This is pretty surprising, since I haven't changed the trust-dns version in my dependency graph recently -- this was working fine just hours ago.

Expected behavior
I did not expect v0.20.0-alpha.3 to trigger an error for a vulnerability that is supposed to be resolved by version >=0.5.0-alpha.3.

Device:

• OS: ubuntu-latest on GitHub CI
• Version: Step 2/6 : ENV deny_version=0.8.4

[djc]

FWIW, I'm can also reproduce this locally with cargo-deny 0.8.4.

[djc]

This is enough to reproduce:

djc-2019 tmp $ cargo init fail
     Created binary (application) package
djc-2019 tmp $ cd fail
djc-2019 master fail $ echo 'trust-dns-resolver = "0.20.0-alpha.3"' >> Cargo.toml
djc-2019 master fail $ cargo deny --version
cargo-deny 0.8.4
djc-2019 master fail $ cargo deny check advisories
2020-12-10 14:58:37 [WARN] unable to find a config path, falling back to default config
error[A001]: Stack overflow when parsing malicious DNS packet
   ┌─ /Users/djc/tmp/fail/Cargo.lock:65:1
   │
65 │ trust-dns-proto 0.20.0-alpha.3 registry+https://github.com/rust-lang/crates.io-index
   │ ------------------------------------------------------------------------------------ security vulnerability detected
   │
   = ID: RUSTSEC-2018-0007
   = Advisory: https://rustsec.org/advisories/RUSTSEC-2018-0007
   = There's a stack overflow leading to a crash when Trust-DNS's parses a
     malicious DNS packet.

     Affected versions of this crate did not properly handle parsing of DNS message
     compression (RFC1035 section 4.1.4). The parser could be tricked into infinite
     loop when a compression offset pointed back to the same domain name to be
     parsed.

     This allows an attacker to craft a malicious DNS packet which when consumed
     with Trust-DNS could cause stack overflow and crash the affected software.

     The flaw was corrected by trust-dns-proto 0.4.3 and upcoming 0.5.0 release.
   = Solution: Upgrade to >=0.4.3 OR >=0.5.0-alpha.3
   = trust-dns-proto v0.20.0-alpha.3
     └── trust-dns-resolver v0.20.0-alpha.3
         └── fail v0.1.0

warning[A003]: `net2` crate has been deprecated; use `socket2` instead
   ┌─ /Users/djc/tmp/fail/Cargo.lock:36:1
   │
36 │ net2 0.2.37 registry+https://github.com/rust-lang/crates.io-index
   │ ----------------------------------------------------------------- unmaintained advisory detected
   │
   = ID: RUSTSEC-2020-0016
   = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0016
   = The [`net2`](https://crates.io/crates/net2) crate has been deprecated
     and users are encouraged to considered [`socket2`](https://crates.io/crates/socket2) instead.
   = Announcement: https://github.com/deprecrated/net2-rs/commit/3350e3819adf151709047e93f25583a5df681091
   = Solution: No safe upgrade is available!
   = net2 v0.2.37
     ├── mio v0.6.23
     │   └── tokio v0.2.24
     │       ├── trust-dns-proto v0.20.0-alpha.3
     │       │   └── trust-dns-resolver v0.20.0-alpha.3
     │       │       └── fail v0.1.0
     │       └── trust-dns-resolver v0.20.0-alpha.3 (*)
     └── miow v0.2.2
         └── mio v0.6.23 (*)

advisories FAILED

[Jake-Shadle]

Thanks for the short repro, will try and get a fix in tomorrow.

[Jake-Shadle]

So this is a regression in the semver crate with regard to version requirements with pre-release identifiers (see https://github.com/RustSec/rustsec-crate/issues/218 for links to various issues). Until this is fixed in the rustsec crate, I'm going to add a workaround in cargo-deny to do an additional filter pass to weed these out.

[djc]

Thanks!