Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deny.toml stricten unknown sources + bump tokio for rustsec issue #727

Merged
merged 2 commits into from
Nov 22, 2021
Merged

deny.toml stricten unknown sources + bump tokio for rustsec issue #727

merged 2 commits into from
Nov 22, 2021

Conversation

clux
Copy link
Member

@clux clux commented Nov 21, 2021
edited
Loading

found a rustsec issue running cargo deny check manually. came out a few days ago. https://rustsec.org/advisories/RUSTSEC-2021-0124. it looks like it applies to us since we use oneshot in the controller. description from discord:

If a tokio::sync::oneshot channel is closed (via the oneshot::Sender::close or oneshot::Receiver::close methods), a data race may occur if the oneshot::Sender::send method is called while the corresponding oneshot::Receiver is awaited or calling try_recv.

we use it only once (excluding tests) in the graceful_ shutdown channel, and those channels only close when we close the whole app, but memory corruption - even at that point - could be bad.

@clux
upgrade tokio for rustsec 2021-0124
967b58c 
ID: RUSTSEC-2021-0124
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0124
    = If a `tokio::sync::oneshot` channel is closed (via the
      [`oneshot::Receiver::close`] method), a data race may occur if the
      `oneshot::Sender::send` method is called while the corresponding
      `oneshot::Receiver` is `await`ed or calling `try_recv`.

Signed-off-by: clux <[email protected]>
@clux
cargo deny: strict checks on unknown registry + git sources
fa46230 
Signed-off-by: clux <[email protected]>
@clux clux mentioned this pull request Nov 21, 2021
Closed
33 tasks
@clux clux modified the milestone: 0.65.0 Nov 21, 2021
@clux clux requested a review from nightkr November 21, 2021 19:52
@clux
Copy link
Member Author

clux commented Nov 21, 2021

was trying to figure out why it didn't trigger on CI, and it was because it only showed up locally because my local lockfile had set tokio to 0.12. so this isn't actually an issue that we need to rush a release out for, users can pin a newer version of tokio to fix this themselves.

@clux clux added this to the 0.65.0 milestone Nov 21, 2021
@clux clux merged commit f780319 into master Nov 22, 2021
@clux clux deleted the audit-tokio branch November 22, 2021 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nightkr nightkr Awaiting requested review from nightkr

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.65.0
Development

Successfully merging this pull request may close these issues.
1 participant
@clux