RUSTSEC-2023-0071: Marvin Attack: potential key recovery through timing sidechannels

[pallaswept]

I'm just building an RPM package for this, and the toolchain informed me of this vuln:

2025-02-17T08:54:41.058398Z  WARN obs_service_cargo::audit: ⚠  1 vulnerability found.
2025-02-17T08:54:41.058401Z  WARN obs_service_cargo::audit: - RUSTSEC-2023-0071 rsa 0.9.7 - categories crypto-failure - cvss 5.9
2025-02-17T08:54:41.058405Z ERROR obs_service_cargo::audit: ⚠  You must action these before submitting this package.
2025-02-17T08:54:41.058407Z ERROR obs_service_cargo::audit: 🛑 Vulnerabilities found in application dependencies. These must be actioned to proceed with vendoring.

https://rustsec.org/advisories/RUSTSEC-2023-0071.html
RustCrypto/RSA#394

The good news is that patch which fixes it has just been merged.

I'll just bypass this and go ahead with the packaging for now, but I thought I should let you know.

[nresare]

Oh, they made progress on the proper fix, that is great.

I saw that same warning last year and found it a bit annoying that as far as I could tell there is no way to indicate to the automated tools that we are unaffected by this issue by design. We are merely using RSA to validate signatures and as such we hold no private key information that could be leaked through the timing issues mentioned.

Looking forward to updating the dependency as soon as RSA 0.10 proper is out

[pallaswept]

We are merely using RSA to validate signatures and as such we hold no private key information that could be leaked through the timing issues mentioned.

Thanks for confirming. I figured it was not something that would effect this, so I went ahead and bypassed the error

This builds with a very simple spec file and I'm pretty sure that this OBS repository will be able to build for Fedora and Redhat without too much effort. It's just the rust build dependencies which will need sorting out with a conditional build. I'll test this for real over the next few days, I'll let you know how it goes.