Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-26964 question #279

Closed
jubalh opened this issue Jul 24, 2023 · 13 comments
Closed

CVE-2023-26964 question #279

jubalh opened this issue Jul 24, 2023 · 13 comments

Comments

@jubalh
Copy link

jubalh commented Jul 24, 2023

I'm not very familiar with Rust so I would like to ask this question.
I saw there is https://nvd.nist.gov/vuln/detail/CVE-2023-26964 and GHSA-f8vr-r385-rh5r sais that h2 < 0.3.17 is affected.
Does that mean that hoard is affected?

@Hyde46
Copy link
Owner

Hyde46 commented Jul 25, 2023

Thanks for pointing this out!
Actually yes it seems transitively affected. I'm relying on the reqwest library for http calls which is using a version of h2 which includes the issue.
I'll replace some dependencies and build&publish a new version in the next couple days

@Hyde46 Hyde46 closed this as completed Jul 25, 2023
@Hyde46 Hyde46 reopened this Jul 25, 2023
@Hyde46
Copy link
Owner

Hyde46 commented Jul 25, 2023

Whoops, didnt mean to close it

@Hyde46 Hyde46 mentioned this issue Jul 25, 2023
@Hyde46
Copy link
Owner

Hyde46 commented Jul 25, 2023

New release is finished 👍
Thanks again!

@Hyde46 Hyde46 closed this as completed Jul 25, 2023
@jubalh
Copy link
Author

jubalh commented Jul 25, 2023

Thanks for the update!

When updating the openSUSE package I got the following error during building though:

[   54s]    Compiling hoard-rs v1.3.1 (/home/abuild/rpmbuild/BUILD/hoard-1.3.2~0)
[   55s] warning: unused import: `DrawState`
[   55s]  --> src/gui/list_search/key_not_set_controls.rs:2:46
[   55s]   |
[   55s] 2 | use crate::gui::commands_gui::{ControlState, DrawState, State};
[   55s]   |                                              ^^^^^^^^^
[   55s]   |
[   55s]   = note: `#[warn(unused_imports)]` on by default
[   55s] 
[   55s] warning: unused import: `chatgpt::prelude::ChatGPT`
[   55s]   --> src/hoard.rs:27:5
[   55s]    |
[   55s] 27 | use chatgpt::prelude::ChatGPT;
[   55s]    |     ^^^^^^^^^^^^^^^^^^^^^^^^^
[   55s] 
[   55s] error[E0597]: `theme` does not live long enough
[   55s]    --> src/gui/prompts.rs:95:26
[   55s]     |
[   55s] 94  |     let theme = HoardTheme::default();
[   55s]     |         ----- binding `theme` declared here
[   55s] 95  |     Password::with_theme(&theme)
[   55s]     |     ---------------------^^^^^^-
[   55s]     |     |                    |
[   55s]     |     |                    borrowed value does not live long enough
[   55s]     |     a temporary with access to the borrow is created here ...
[   55s] ...
[   55s] 100 | }
[   55s]     | -
[   55s]     | |
[   55s]     | `theme` dropped here while still borrowed
[   55s]     | ... and the borrow might be used here, when that temporary is dropped and runs the destructor for type `Password<'_>`
[   55s]     |
[   55s]     = note: the temporary is part of an expression at the end of a block;
[   55s]             consider forcing this temporary to be dropped sooner, before the block's local variables are dropped
[   55s] help: for example, you could save the expression's value in a new local variable `x` and then make `x` be the expression at the end of the block
[   55s]     |
[   55s] 95  ~     let x = Password::with_theme(&theme)
[   55s] 96  |         .with_prompt(text)
[   55s] 97  |         .with_confirmation("Repeat password", "Error: the passwords don't match.")
[   55s] 98  |         .interact()
[   55s] 99  ~         .unwrap(); x
[   55s]     |
[   55s] 
[   55s] error[E0597]: `theme` does not live long enough
[   55s]    --> src/gui/prompts.rs:104:26
[   55s]     |
[   55s] 103 |     let theme = HoardTheme::default();
[   55s]     |         ----- binding `theme` declared here
[   55s] 104 |     Password::with_theme(&theme)
[   55s]     |     ---------------------^^^^^^-
[   55s]     |     |                    |
[   55s]     |     |                    borrowed value does not live long enough
[   55s]     |     a temporary with access to the borrow is created here ...
[   55s] ...
[   55s] 108 | }
[   55s]     | -
[   55s]     | |
[   55s]     | `theme` dropped here while still borrowed
[   55s]     | ... and the borrow might be used here, when that temporary is dropped and runs the destructor for type `Password<'_>`
[   55s]     |
[   55s]     = note: the temporary is part of an expression at the end of a block;
[   55s]             consider forcing this temporary to be dropped sooner, before the block's local variables are dropped
[   55s] help: for example, you could save the expression's value in a new local variable `x` and then make `x` be the expression at the end of the block
[   55s]     |
[   55s] 104 ~     let x = Password::with_theme(&theme)
[   55s] 105 |         .with_prompt(text)
[   55s] 106 |         .interact()
[   55s] 107 ~         .unwrap(); x
[   55s]     |
[   55s] 
[   55s] For more information about this error, try `rustc --explain E0597`.
[   55s] warning: `hoard-rs` (bin "hoard") generated 2 warnings
[   55s] error: could not compile `hoard-rs` (bin "hoard") due to 2 previous errors; 2 warnings emitted

@Hyde46
Copy link
Owner

Hyde46 commented Jul 25, 2023

Hmm, current main builds for me locally.
What version of rust are you on?

@Hyde46 Hyde46 reopened this Jul 25, 2023
@jubalh
Copy link
Author

jubalh commented Jul 25, 2023

What version of rust are you on?

Rust 1.71

@Hyde46
Copy link
Owner

Hyde46 commented Jul 25, 2023

Also builds for me with 1.71
I see Compiling hoard-rs v1.3.1 this at the top of your message.
Can you make sure that you are on the latest changes on main and try to build again please?

@jubalh
Copy link
Author

jubalh commented Jul 25, 2023

I see Compiling hoard-rs v1.3.1 this at the top of your message.

I do believe that is because you did 9a6599b after tagging the release. Thus it still prints the 1.3.1 version.

Can you make sure that you are on the latest changes on main and try to build again please?

I'm using the tarball from here https://github.com/Hyde46/hoard/releases/tag/v1.3.2

I took the changes on master from https://github.com/Hyde46/hoard/compare/v1.3.2...main.patch and added them in a patch. Resulting in the correct version printed in Compiling hoard-rs v1.3.2 .

But the error still stays. I'll upload the full build log in a second in case that helps.

@jubalh
Copy link
Author

jubalh commented Jul 25, 2023

buildlog.txt

@jubalh
Copy link
Author

jubalh commented Jul 31, 2023

I tried the 1.4.0 release and now get only:

[   78s]    Compiling hoard-rs v1.4.0 (/home/abuild/rpmbuild/BUILD/hoard-1.4.0~0)
[   79s] error[E0597]: `theme` does not live long enough
[   79s]    --> src/gui/prompts.rs:95:26
[   79s]     |
[   79s] 94  |     let theme = HoardTheme::default();
[   79s]     |         ----- binding `theme` declared here
[   79s] 95  |     Password::with_theme(&theme)
[   79s]     |     ---------------------^^^^^^-
[   79s]     |     |                    |
[   79s]     |     |                    borrowed value does not live long enough
[   79s]     |     a temporary with access to the borrow is created here ...
[   79s] ...
[   79s] 100 | }
[   79s]     | -
[   79s]     | |
[   79s]     | `theme` dropped here while still borrowed
[   79s]     | ... and the borrow might be used here, when that temporary is dropped and runs the destructor for type `Password<'_>`
[   79s]     |
[   79s]     = note: the temporary is part of an expression at the end of a block;
[   79s]             consider forcing this temporary to be dropped sooner, before the block's local variables are dropped
[   79s] help: for example, you could save the expression's value in a new local variable `x` and then make `x` be the expression at the end of the block
[   79s]     |
[   79s] 95  ~     let x = Password::with_theme(&theme)
[   79s] 96  |         .with_prompt(text)
[   79s] 97  |         .with_confirmation("Repeat password", "Error: the passwords don't match.")
[   79s] 98  |         .interact()
[   79s] 99  ~         .unwrap(); x
[   79s]     |
[   79s] 
[   79s] error[E0597]: `theme` does not live long enough
[   79s]    --> src/gui/prompts.rs:104:26
[   79s]     |
[   79s] 103 |     let theme = HoardTheme::default();
[   79s]     |         ----- binding `theme` declared here
[   79s] 104 |     Password::with_theme(&theme)
[   79s]     |     ---------------------^^^^^^-
[   79s]     |     |                    |
[   79s]     |     |                    borrowed value does not live long enough
[   79s]     |     a temporary with access to the borrow is created here ...
[   79s] ...
[   79s] 108 | }
[   79s]     | -
[   79s]     | |
[   79s]     | `theme` dropped here while still borrowed
[   79s]     | ... and the borrow might be used here, when that temporary is dropped and runs the destructor for type `Password<'_>`
[   79s]     |
[   79s]     = note: the temporary is part of an expression at the end of a block;
[   79s]             consider forcing this temporary to be dropped sooner, before the block's local variables are dropped
[   79s] help: for example, you could save the expression's value in a new local variable `x` and then make `x` be the expression at the end of the block
[   79s]     |
[   79s] 104 ~     let x = Password::with_theme(&theme)
[   79s] 105 |         .with_prompt(text)
[   79s] 106 |         .interact()
[   79s] 107 ~         .unwrap(); x
[   79s]     |

Full build log: https://build.opensuse.org/build/utilities/openSUSE_Factory/x86_64/hoard/_log

@Hyde46
Copy link
Owner

Hyde46 commented Aug 6, 2023

Finally could replicate the issue and could fix it. Thanks for the build logs!

@Hyde46
Copy link
Owner

Hyde46 commented Aug 6, 2023

Should hopefully be okay with release 1.4.2 now

@Hyde46 Hyde46 closed this as completed Aug 6, 2023
@jubalh
Copy link
Author

jubalh commented Aug 6, 2023

That did the trick :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants