Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2022-0040: Multiple soundness issues in owning_ref #2794

Closed
github-actions bot opened this issue Aug 3, 2022 · 3 comments · Fixed by #2822
Closed

RUSTSEC-2022-0040: Multiple soundness issues in owning_ref #2794

github-actions bot opened this issue Aug 3, 2022 · 3 comments · Fixed by #2822

Comments

@github-actions
Copy link

github-actions bot commented Aug 3, 2022

Multiple soundness issues in owning_ref

Details
Package owning_ref
Version 0.4.1
URL https://github.com/noamtashma/owning-ref-unsoundness
Date 2022-01-26
  • OwningRef::map_with_owner is unsound and may result in a use-after-free.
  • OwningRef::map is unsound and may result in a use-after-free.
  • OwningRefMut::as_owner and OwningRefMut::as_owner_mut are unsound and may result in a use-after-free.
  • The crate violates Rust's aliasing rules, which may cause miscompilations on recent compilers that emit the LLVM noalias attribute.

No patched versions are available at this time. While a pull request with some fixes is outstanding, the maintainer appears to be unresponsive.

See advisory page for additional details.
@mxinden mxinden mentioned this issue Aug 3, 2022
Closed
@LesnyRumcajs LesnyRumcajs mentioned this issue Aug 3, 2022
Merged
betarelease added a commit to betarelease/pyrsia that referenced this issue Aug 3, 2022
@betarelease
Ignores the advisory for owning_ref
498dae7 
- owning_ref is a dependency of libp2p and has a vulnerability that does not have an upgrade path
- this breaks our audit check and hence we need to ignore it till the upgrade is available.
- this vulnerability has been around since Jan 2022 and also the codebase has not been updated for 2 years
- so our mileage is going to be meh.
- libp2p/rust-libp2p#2794
betarelease added a commit to betarelease/pyrsia that referenced this issue Aug 3, 2022
@betarelease
Ignores the advisory for owning_ref
238ca26 
- owning_ref is a dependency of libp2p and has a vulnerability that does not have an upgrade path
- this breaks our audit check and hence we need to ignore it till the upgrade is available.
- this vulnerability has been around since Jan 2022 and also the codebase has not been updated for 2 years
- so our mileage is going to be meh.
- libp2p/rust-libp2p#2794
@betarelease betarelease mentioned this issue Aug 3, 2022
Merged
7 tasks
@AbhijithGanesh
Copy link

AbhijithGanesh commented Aug 3, 2022
edited
Loading

Hello team! I am one of the contributors from Pyrsia! I was investigating through the issue and as per my understanding of the usage of prometheus_client in misc/metrics. The library uses Owning_Ref which affects the library!

@AbhijithGanesh AbhijithGanesh mentioned this issue Aug 3, 2022
Closed
betarelease added a commit to pyrsia/pyrsia that referenced this issue Aug 3, 2022
@betarelease
Ignores the advisory for owning_ref (#919)
e82a345 
- owning_ref is a dependency of libp2p and has a vulnerability that does not have an upgrade path
- this breaks our audit check and hence we need to ignore it till the upgrade is available.
- this vulnerability has been around since Jan 2022 and also the codebase has not been updated for 2 years
- so our mileage is going to be meh.
- libp2p/rust-libp2p#2794
betarelease added a commit to pyrsia/pyrsia that referenced this issue Aug 3, 2022
@betarelease
Shows the artifacts_directory being used by artifact_service in debug… (
c0da513 
#916)

Ignores the advisory for owning_ref
- owning_ref is a dependency of libp2p and has a vulnerability that does not have an upgrade path
- this breaks our audit check and hence we need to ignore it till the upgrade is available.
- this vulnerability has been around since Jan 2022 and also the codebase has not been updated for 2 years
- so our mileage is going to be meh.
- libp2p/rust-libp2p#2794
@mxinden
Copy link
Member

mxinden commented Aug 4, 2022

Hello team! I am one of the contributors from Pyrsia!

👋 great to have you here.

I was investigating through the issue and as per my understanding of the usage of prometheus_client in misc/metrics. The library uses Owning_Ref which affects the library!

That is correct.

Disclaimer, I am a maintainer of the libp2p crate and the maintainer of the prometheus-client crate.

I documented my thoughts here prometheus/client_rust#77 (comment). Help much appreciated.

@mxinden mxinden mentioned this issue Aug 10, 2022
Merged
4 tasks
@kayabaNerve
Copy link
Contributor

Since the above was merged, libp2p updating to prometheus-client 0.18.0 should fix this.

@mxinden mxinden mentioned this issue Aug 17, 2022
Merged
@mxinden mxinden linked a pull request Aug 17, 2022 that will close this issue
build(deps): Update prometheus-client requirement from 0.17.0 to 0.18.0 #2822
Merged
This was referenced Aug 24, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build(deps): Update prometheus-client requirement from 0.17.0 to 0.18.0 libp2p/rust-libp2p
3 participants
@mxinden @kayabaNerve @AbhijithGanesh