Where communities thrive

Join over 1.5M+ people
Join over 100K+ communities
Free without limits
Create your own community

Explore more communities

RustSec/Lobby

Rust Security Advisory Database

People

Repo info

Activity

Tony Arcieri

@tarcieri

All right, RustSec has a Gitter

feel free to talk if you wander in here. don't be shy :wink:

Tony Arcieri

@tarcieri

crickets

Hey look, another rustsec release: https://crates.io/crates/rustsec

Tony Arcieri

@tarcieri

and a release announcement: https://www.reddit.com/r/rust/comments/919c8k/announcing_cargoaudit_03_and_rustsec_07_audit/

Danilo Bargen

@dbrgn

Hi @tarcieri! First of all, thanks for maintaining rustsec crates!

I use cargo-audit as a step in almost all my Rust CI builds. Unfortunately, several of my builds broke recently. The reason is that the platforms crate started using nested import syntax: https://github.com/RustSec/platforms-crate/blob/master/src/platform/req.rs#L4

Travis currently tests stable/beta/nightly, so this won't get caught. Would you be open to a "minimally supported Rust version" policy in your crate? What I usually do, is specifying that version in the README and adding a CI test target for that version. Depending on how strict you want to do it, you can then increment the minor or the major version whenever the minimally required Rust version changes, and declare that change in your changelog.

Tony Arcieri

@tarcieri

@dbrgn absolutely. What do you happen to be using? We can start there :wink:

Danilo Bargen

@dbrgn

@tarcieri sorry, only saw your reply now. gitter isn't great about notifications.

I'll try to create a pull request by next week with what I suggested above :)

Tony Arcieri

@tarcieri

@dbrgn I think the ship may have sailed on nested import syntax. Gonna switch out some dependencies, and I'm afraid that will probably be required at this point

but I could call, say, 1.27 the minimum

Danilo Bargen

@dbrgn

Yeah, that would already be an improvement :)

Konrad Borowski

@KonradBorowski_gitlab

Didn't realize this gitter room existed.

I'm assuming an abort (not a panic, you cannot catch unwind for aborts) in a library is a vulnerability?

@tarcieri

Konrad Borowski

@KonradBorowski_gitlab

by the way, i requested a CVE number for two pull requests I made, but I think it will take them a while to respond, so I submitted a vulnerability without CVE numbers for now

Tony Arcieri

@tarcieri

@KonradBorowski_gitlab ohai... I think they're worth including

Konrad Borowski

@KonradBorowski_gitlab

"I would include DoS issues that crash the entire process because you cannot reasonably guard against them in a DoS-critical application."

oh, okay, so it's fine according to rustsec guidelines

Tony Arcieri

@tarcieri

yeah

Konrad Borowski

@KonradBorowski_gitlab

i submitted two pull requests by the way, feel free to review them

Tony Arcieri

@tarcieri

yeah I saw, will review them soon

Konrad Borowski

@KonradBorowski_gitlab

thanks :)

Konrad Borowski

@KonradBorowski_gitlab

but yeah, i think a panic isn't exactly a security issue, annoying sure, but not really a security issue

rust doesn't really prevent you from panicking, and it's easy to catch unwind in a server application

so, sure, a HTTP request will return error 500 or whatever, but it won't crash the entire server

Tony Arcieri

@tarcieri

"easy" heh

but sure

Konrad Borowski

@KonradBorowski_gitlab

it's easy if you aren't using unwinds as flow control

Tony Arcieri

@tarcieri

"easy" if everything is RefUnwindSafe :wink:

Konrad Borowski

@KonradBorowski_gitlab

what isn't ;)?

Tony Arcieri

@tarcieri

anything with interior mutability and bugs :trollface:

Konrad Borowski

@KonradBorowski_gitlab

i would say it's a good practice to avoid mutable state

Tony Arcieri

@tarcieri

that's great until you... want to do I/O, or have a secure channel, heh

as it were I'm in the midst of refactoring some code so it doesn't have to be RefUnwindSafe

Konrad Borowski

@KonradBorowski_gitlab

if necessary, you can AssertUnwindSafe, implementing UnwindSafe is safe, but you may violate your code invariants

i think it's a great thing that Rust forces you to think about "will my application be in proper state when a panic occurs somewhere"

Tony Arcieri

@tarcieri

I'm in the process of moving things around so I don't have to lug things across unwind boundaries

Konrad Borowski

@KonradBorowski_gitlab

that's great :)

Tony Arcieri

@tarcieri

and in the process deleting an impl RefUnwindSafe

msehnout

@msehnout

Hi, I work on a project, where we are trying to aggregate CVEs for many different languages and ecosystems (like PyPi, NPM, Maven etc.). The current approach works by collecting data from various sources and processing them in various ways, but it has many pitfalls due to the lack of clear versioning scheme like semver or backporting fixes to some older versions etc. Anyway, do you have any plans for an automated way in which the RUSTSEC advisories could be submitted? e.g. some Github bot. and, on the other hand, some API/RSS feed for fetching data about the advisories?

It would be nice, it there was a system that could be used across all languages, though I am not sure if that isn't too ambitious.

Tony Arcieri

@tarcieri

@msehnout I've heard rumors GitHub is working on something like that, but no, for now the closest thing would be automating submissions by opening issues via GitHub's API

msehnout

@msehnout

@tarcieri ok, thanks for your response

Konrad Borowski

@KonradBorowski_gitlab

Okay, so I reported a security issue in yaml crate two months ago (2018-09-25), but I got no response from a maintainer

i'm not sure how to continue from here

Tony Arcieri

@tarcieri

@KonradBorowski_gitlab you can open a RUSTSEC issue... is there a public issue on the yaml crate?

Konrad Borowski

@KonradBorowski_gitlab

i probably should create one, i only sent an e-mail

didn't want to make it public