Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Patch Security Vulnerabilities Across Multiple Dependencies #25

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Security: Patch Security Vulnerabilities Across Multiple Dependencies #25

wants to merge 4 commits into from

Conversation

t4nature
Copy link

Summary

This pull request addresses several security vulnerabilities discovered through cargo audit. The vulnerabilities span across multiple crates, including h2, mio, and openssl. Each vulnerability is associated with potential security risks, including denial of service (DoS), arbitrary file read, thread safety issues, buffer over-reads, and null pointer dereference.

Details of Vulnerabilities and Solutions

  1. h2: Upgraded to 0.3.24 to mitigate resource exhaustion vulnerability that could lead to DoS.
  2. mio: Upgraded to 0.8.11 to resolve issues with tokens for named pipes being delivered after deregistration.
  3. openssl: Upgraded to 0.10.55 to address several vulnerabilities:

Actions Taken

  • Performed cargo update -p <crate_name> --precise <version> for each affected crate to ensure the least intrusive update that resolves the vulnerabilities.
  • Ran cargo test post-upgrade to ensure no regressions were introduced.

Conclusion

These updates are critical for maintaining the security and integrity of the project. It is recommended to merge this PR as soon as possible to apply these security patches. Further, detailed testing and validation are advised to ensure the updates integrate smoothly with the existing codebase.

Attachment: cargo audit Output for Reference

To provide clear context and justify the necessity of the updates made in this pull request, I've included the output of cargo audit below. This output highlights the specific vulnerabilities that were addressed by the updates to h2, mio, and openssl dependencies:

    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 615 security advisories (from /home/obj/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (210 crate dependencies)
Crate:     h2
Version:   0.3.16
Title:     Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
Date:      2024-01-17
ID:        RUSTSEC-2024-0003
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0003
Solution:  Upgrade to ^0.3.24 OR >=0.4.2
Dependency tree:
h2 0.3.16
├── reqwest 0.11.14
│   ├── teloxide-core 0.9.1
│   │   └── teloxide 0.12.2
│   │       └── telegpt 0.1.0
│   ├── reqwest-eventsource 0.4.0
│   │   └── async-openai 0.9.4
│   │       └── telegpt 0.1.0
│   └── async-openai 0.9.4
└── hyper 0.14.24
    ├── reqwest 0.11.14
    └── hyper-tls 0.5.0
        └── reqwest 0.11.14

Crate:     h2
Version:   0.3.16
Title:     Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
Date:      2023-04-14
ID:        RUSTSEC-2023-0034
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0034
Solution:  Upgrade to >=0.3.17

Crate:     mio
Version:   0.8.6
Title:     Tokens for named pipes may be delivered after deregistration
Date:      2024-03-04
ID:        RUSTSEC-2024-0019
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0019
Solution:  Upgrade to >=0.8.11
Dependency tree:
mio 0.8.6
└── tokio 1.26.0
    ├── tokio-util 0.7.7
    │   ├── teloxide-core 0.9.1
    │   │   └── teloxide 0.12.2
    │   │       └── telegpt 0.1.0
    │   ├── teloxide 0.12.2
    │   ├── reqwest 0.11.14
    │   │   ├── teloxide-core 0.9.1
    │   │   ├── reqwest-eventsource 0.4.0
    │   │   │   └── async-openai 0.9.4
    │   │   │       └── telegpt 0.1.0
    │   │   └── async-openai 0.9.4
    │   ├── h2 0.3.16
    │   │   ├── reqwest 0.11.14
    │   │   └── hyper 0.14.24
    │   │       ├── reqwest 0.11.14
    │   │       └── hyper-tls 0.5.0
    │   │           └── reqwest 0.11.14
    │   └── async-openai 0.9.4
    ├── tokio-stream 0.1.12
    │   ├── teloxide 0.12.2
    │   └── async-openai 0.9.4
    ├── tokio-native-tls 0.3.1
    │   ├── reqwest 0.11.14
    │   └── hyper-tls 0.5.0
    ├── teloxide-core 0.9.1
    ├── teloxide 0.12.2
    ├── telegpt 0.1.0
    ├── reqwest 0.11.14
    ├── hyper-tls 0.5.0
    ├── hyper 0.14.24
    ├── h2 0.3.16
    ├── backoff 0.4.0
    │   └── async-openai 0.9.4
    └── async-openai 0.9.4

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `SubjectAlternativeName` and `ExtendedKeyUsage::other` allow arbitrary file read
Date:      2023-03-24
ID:        RUSTSEC-2023-0023
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0023
Solution:  Upgrade to >=0.10.48
Dependency tree:
openssl 0.10.45
└── native-tls 0.2.11
    ├── tokio-native-tls 0.3.1
    │   ├── reqwest 0.11.14
    │   │   ├── teloxide-core 0.9.1
    │   │   │   └── teloxide 0.12.2
    │   │   │       └── telegpt 0.1.0
    │   │   ├── reqwest-eventsource 0.4.0
    │   │   │   └── async-openai 0.9.4
    │   │   │       └── telegpt 0.1.0
    │   │   └── async-openai 0.9.4
    │   └── hyper-tls 0.5.0
    │       └── reqwest 0.11.14
    ├── reqwest 0.11.14
    └── hyper-tls 0.5.0

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `X509NameBuilder::build` returned object is not thread safe
Date:      2023-03-24
ID:        RUSTSEC-2023-0022
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0022
Solution:  Upgrade to >=0.10.48

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `X509VerifyParamRef::set_host` buffer over-read
Date:      2023-06-20
ID:        RUSTSEC-2023-0044
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0044
Solution:  Upgrade to >=0.10.55

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `X509Extension::new` and `X509Extension::new_nid` null pointer dereference
Date:      2023-03-24
ID:        RUSTSEC-2023-0024
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0024
Solution:  Upgrade to >=0.10.48

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── env_logger 0.7.1
    └── pretty_env_logger 0.4.0
        └── telegpt 0.1.0

Crate:     openssl
Version:   0.10.45
Warning:   unsound
Title:     `openssl` `X509StoreRef::objects` is unsound
Date:      2023-11-23
ID:        RUSTSEC-2023-0072
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0072

Crate:     ahash
Version:   0.7.6
Warning:   yanked
Dependency tree:
ahash 0.7.6
└── hashbrown 0.12.3
    ├── indexmap 1.9.2
    │   └── h2 0.3.16
    │       ├── reqwest 0.11.14
    │       │   ├── teloxide-core 0.9.1
    │       │   │   └── teloxide 0.12.2
    │       │   │       └── telegpt 0.1.0
    │       │   ├── reqwest-eventsource 0.4.0
    │       │   │   └── async-openai 0.9.4
    │       │   │       └── telegpt 0.1.0
    │       │   └── async-openai 0.9.4
    │       └── hyper 0.14.24
    │           ├── reqwest 0.11.14
    │           └── hyper-tls 0.5.0
    │               └── reqwest 0.11.14
    └── hashlink 0.8.1
        └── rusqlite 0.28.0
            └── telegpt 0.1.0

Crate:     hermit-abi
Version:   0.3.1
Warning:   yanked
Dependency tree:
hermit-abi 0.3.1
└── is-terminal 0.4.4
    ├── env_logger 0.10.0
    │   └── telegpt 0.1.0
    └── clap 4.1.8
        └── telegpt 0.1.0

warning: 4 allowed warnings found

@t4nature
Fix incorrect length expectation in test_code
7c09b62 
This commit corrects the expected length of the code snippet in the test_code function from 19 to 18. The previous length expectation of 19 did not accurately reflect the number of characters in the given code snippet, leading to test failures. The adjustment ensures that the test accurately tests for the correct length of the code snippet, addressing the issue where the test would fail due to an off-by-one error in the length expectation.
@t4nature
Update h2 to 0.3.24 to fix DoS vulnerability
70586b7 
This update addresses the denial of service (DoS) vulnerability identified in h2 versions up to 0.3.16, as reported in RUSTSEC-2024-0003 and RUSTSEC-2023-0034.
@t4nature
Update mio to 0.8.11 to resolve token deregistration issue
40510c8 
This commit upgrades the `mio` dependency from version 0.8.6 to 0.8.11 to fix a vulnerability where tokens for named pipes could be delivered even after deregistration, as detailed in RUSTSEC-2024-0019. Post-upgrade testing with `cargo test` confirms no regressions introduced.
@t4nature
Update openssl to 0.10.55 to address security vulnerabilities
5b481c9 
This commit updates the `openssl` crate from version 0.10.45 to 0.10.55, mitigating several security issues as reported in RUSTSEC advisories: RUSTSEC-2023-0023, RUSTSEC-2023-0022, RUSTSEC-2023-0044, and RUSTSEC-2023-0024. The addressed vulnerabilities range from arbitrary file read capabilities and thread safety issues to buffer over-reads and null pointer dereferences in various `openssl` functions. Post-update, `cargo test` was executed to check for immediate issues; however, comprehensive stability testing of the application remains pending.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@t4nature