Add more advisories for recent Diesel related vulnerabilities

[weiznich]

I was asked to fill advisories for these cases as well. I believe the impact of all of them is rather limited, but better be safe than sorry.

[weiznich]

Seems like I managed to trip up the CI again, sorry for that.

What's the preferred way to fill a bunch of advisories at the same time?

[Skgland]

Seems like I managed to trip up the CI again, sorry for that.

What's the preferred way to fill a bunch of advisories at the same time?

The file name needs to start with RUSTSEC-0000-0000 so you can name them RUSTSEC-0000-0000.1.md, RUSTSEC-0000-0000.2.md, RUSTSEC-0000-0000.3.md and so on

[Skgland]

The filename of the diesel-async advisory is missing a 0.

[LawnGnome]

Apart from the naming side of things:

[weiznich]

I shouldn't have pushed that in a rush, so sorry again for the noise.

I've now addressed everything mentioned above, but the CI still fails with the following error:

error: ./crates/diesel-async/RUSTSEC-0000-0000.md contained the following lint errors:
  - invalid value `diesel::serialize::FromSql<Date,Mysql>` for key `functions` in [affected]: function path must start with crate name
  - invalid value `diesel::serialize::FromSql<DateTime,Mysql>` for key `functions` in [affected]: function path must start with crate name
  - invalid value `diesel::serialize::FromSql<Time,Mysql>` for key `functions` in [affected]: function path must start with crate name
  - invalid value `diesel::serialize::FromSql<Timestamp,Mysql>` for key `functions` in [affected]: function path must start with crate name

I understand that restriction, it's just that these paths are the most accurate description of the place where the issue happens that I can provide without putting lot of extremely large types there. Do you have any suggestions how to handle that?

[djc]

I was asked to fill advisories for these cases as well. I believe the impact of all of them is rather limited, but better be safe than sorry.

Who asked you? If you judge some of these not to be deserving of an advisory, I'd prefer to trust your judgement. See here for more discussion:

• Discussion: signal/noise ratio too low? #2572

[weiznich]

Who asked you?

https://social.weiznich.de/@weiznich/116459592474794105 (Yea, I know sample size of 2 isn't great)

If you judge some of these not to be deserving of an advisory, I'd prefer to trust your judgement.

To be honest I don't know what's the correct approach here.

The reasoning for opening this PR is as following:

• There was this other unsoundness in diesel-async filled as github advisory, it's not a critical issue but having it as advisory is likely OK given that it is still a soundness issue and could expose stack memory in constructed edge cases. If it's a github advisory it also warrants a rustsec advisory.
• The same thing also happened in diesel so if it warrants an advisory in diesel-async it also warrants an advisory in diesel
• If this issue warrants an advisory the other issues fixed by that PR also warrants an advisor as they are equally "obscure" or even a bit more serve.

Now I could put all the issues for diesel in one advisory to keep the noise ratio low, but given that each issue affects an other part of the code base and it's totally realistic that at least some of the users are not affected by any of the issues that also doesn't sound like a good solution.

If you have any input on this subject I'm more than happy to listen to you. If you (or any other rustsec member) feel that this is too much noise that's also fine for me.

[djc]

Okay, I'm open to merging this.

[djc]

I shouldn't have pushed that in a rush, so sorry again for the noise.

I've now addressed everything mentioned above, but the CI still fails with the following error:

error: ./crates/diesel-async/RUSTSEC-0000-0000.md contained the following lint errors:
  - invalid value `diesel::serialize::FromSql<Date,Mysql>` for key `functions` in [affected]: function path must start with crate name
  - invalid value `diesel::serialize::FromSql<DateTime,Mysql>` for key `functions` in [affected]: function path must start with crate name
  - invalid value `diesel::serialize::FromSql<Time,Mysql>` for key `functions` in [affected]: function path must start with crate name
  - invalid value `diesel::serialize::FromSql<Timestamp,Mysql>` for key `functions` in [affected]: function path must start with crate name

I understand that restriction, it's just that these paths are the most accurate description of the place where the issue happens that I can provide without putting lot of extremely large types there. Do you have any suggestions how to handle that?

I'd suggest to just drop the affected paths, maybe demoting them to be in the advisory text instead of the metadata?