Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cargo audit shows a lot of security issues #1952

Closed
uncomfyhalomacro opened this issue May 5, 2022 · 7 comments
Closed

Cargo audit shows a lot of security issues #1952

uncomfyhalomacro opened this issue May 5, 2022 · 7 comments
Labels
bug Something isn't working

Comments

@uncomfyhalomacro
Copy link
Contributor

What Operating System(s) are you seeing this problem on?

Linux X11, Linux Wayland

WezTerm version

20220408-101518-b908e2dd

Did you try the latest nightly build to see if the issue is better (or worse!) than your current version?

No, and I'll explain why below

Describe the bug

I am packaging wezterm for openSUSE. The openSUSE Build Service uses cargo audit to check security issues of the crates.

So I ran cargo audit --json | jq '.["vulnerabilities"]["list"][]' > audit.txt so I can send you the file.

audit.txt

To Reproduce

No response

Configuration

N/A

Expected Behavior

Little to none security issues shown from cargo audit

Logs

N/A

Anything else?

No response
@uncomfyhalomacro uncomfyhalomacro added the bug Something isn't working label May 5, 2022
@wez
Copy link
Owner

wez commented May 5, 2022

Thanks for sharing!

I don't believe that any of these pose actual exploitable security issues in wezterm, in the sense that wezterm doesn't run with elevated privileges and thus doesn't provide an avenue for unexpected privilege escalation.

Some of the issues mentioned are potential crash bugs in some circumstances that are unlikely to trigger in practice with their use in wezterm; some of the functions in the listed crates are not used in wezterm.

The xcb crate does have unsoundness issues with its string processing; wezterm already bypasses that unsound string implementation and handles those problematic cases for itself.

In addition xcb 1.0 radically changes the API which makes upgrading a non-trivial effort.

While I'm not going to ignore these things, I don't think they are P0 drop-everything issues.

@uncomfyhalomacro
Copy link
Contributor Author

uncomfyhalomacro commented May 5, 2022
edited

I have the same belief as well! but yeah, i have to comply to their packaging guidelines <3. anyway it is very minor and can be reasoned to them if they ask me about it.

@wez wez mentioned this issue May 5, 2022
Open
@wez
Copy link
Owner

wez commented May 5, 2022

The chrono issue has no resolution yet

wez added a commit that referenced this issue May 5, 2022
@wez
deps: migrate battery to starship-battery
ef96646 
The former is unmaintained and is flagging in cargo audit for its
indirect deps.

The starship folks have forked it; let's use that.

refs: svartalf/rust-battery#92
refs: #1952
wez added a commit that referenced this issue May 7, 2022
@wez
window: deps: upgrade to xcb 1.1
abc42f7 
Was a bit fiddly.

Eliminated the xcb_util crate

refs: #1952
wez added a commit that referenced this issue May 9, 2022
@wez
switch macos clipboard crate
6484b3a 
This cleans up the `cargo audit` output on linux because the `clipboard`
crate (which hasn't been updated in 3 years) depends on xcb=0.8.2
which is flagged by cargo audit.

We don't use `clipboard` on any platform except macos

This commit switches to the `clipboard_macos` crate; that appears to
use a copy and paste of the macos specific code from the `clipboard`
crate, so this shouldn't have any change in functionality.

refs: #1952
@wez
Copy link
Owner

wez commented May 9, 2022

I've tidied up the dependency graph to prune most of the flagged items; what remains is the chrono issue, which isn't an issue with its usage in wezterm.
So I'm going to close this issue!

@wez wez closed this as completed May 9, 2022
@uncomfyhalomacro
Copy link
Contributor Author

@wez oh dont worry! also https://build.opensuse.org/package/show/openSUSE:Factory/wezterm it is now in Factory! hooray!

@wez
Copy link
Owner

wez commented May 9, 2022

Great! Would you mind submitting a PR to wezterm's install instructions to show users how to install that on SuSE?
https://github.com/wez/wezterm/blob/main/docs/install/linux.markdown

@github-actions
Copy link

github-actions bot commented Feb 4, 2023

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 4, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wez @uncomfyhalomacro