Skip to content

Security: Patch Security Vulnerabilities Across Multiple Dependencies#25

Open
t4nature wants to merge 4 commits intoHelixform:masterfrom
t4nature:security/fix-vulnerabilities
Open

Security: Patch Security Vulnerabilities Across Multiple Dependencies#25
t4nature wants to merge 4 commits intoHelixform:masterfrom
t4nature:security/fix-vulnerabilities

Conversation

@t4nature
Copy link

@t4nature t4nature commented Mar 31, 2024

Summary

This pull request addresses several security vulnerabilities discovered through cargo audit. The vulnerabilities span across multiple crates, including h2, mio, and openssl. Each vulnerability is associated with potential security risks, including denial of service (DoS), arbitrary file read, thread safety issues, buffer over-reads, and null pointer dereference.

Details of Vulnerabilities and Solutions

  1. h2: Upgraded to 0.3.24 to mitigate resource exhaustion vulnerability that could lead to DoS.
  2. mio: Upgraded to 0.8.11 to resolve issues with tokens for named pipes being delivered after deregistration.
  3. openssl: Upgraded to 0.10.55 to address several vulnerabilities:

Actions Taken

  • Performed cargo update -p <crate_name> --precise <version> for each affected crate to ensure the least intrusive update that resolves the vulnerabilities.
  • Ran cargo test post-upgrade to ensure no regressions were introduced.

Conclusion

These updates are critical for maintaining the security and integrity of the project. It is recommended to merge this PR as soon as possible to apply these security patches. Further, detailed testing and validation are advised to ensure the updates integrate smoothly with the existing codebase.

Attachment: cargo audit Output for Reference

To provide clear context and justify the necessity of the updates made in this pull request, I've included the output of cargo audit below. This output highlights the specific vulnerabilities that were addressed by the updates to h2, mio, and openssl dependencies:

    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 615 security advisories (from /home/obj/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (210 crate dependencies)
Crate:     h2
Version:   0.3.16
Title:     Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
Date:      2024-01-17
ID:        RUSTSEC-2024-0003
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0003
Solution:  Upgrade to ^0.3.24 OR >=0.4.2
Dependency tree:
h2 0.3.16
├── reqwest 0.11.14
│   ├── teloxide-core 0.9.1
│   │   └── teloxide 0.12.2
│   │       └── telegpt 0.1.0
│   ├── reqwest-eventsource 0.4.0
│   │   └── async-openai 0.9.4
│   │       └── telegpt 0.1.0
│   └── async-openai 0.9.4
└── hyper 0.14.24
    ├── reqwest 0.11.14
    └── hyper-tls 0.5.0
        └── reqwest 0.11.14

Crate:     h2
Version:   0.3.16
Title:     Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
Date:      2023-04-14
ID:        RUSTSEC-2023-0034
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0034
Solution:  Upgrade to >=0.3.17

Crate:     mio
Version:   0.8.6
Title:     Tokens for named pipes may be delivered after deregistration
Date:      2024-03-04
ID:        RUSTSEC-2024-0019
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0019
Solution:  Upgrade to >=0.8.11
Dependency tree:
mio 0.8.6
└── tokio 1.26.0
    ├── tokio-util 0.7.7
    │   ├── teloxide-core 0.9.1
    │   │   └── teloxide 0.12.2
    │   │       └── telegpt 0.1.0
    │   ├── teloxide 0.12.2
    │   ├── reqwest 0.11.14
    │   │   ├── teloxide-core 0.9.1
    │   │   ├── reqwest-eventsource 0.4.0
    │   │   │   └── async-openai 0.9.4
    │   │   │       └── telegpt 0.1.0
    │   │   └── async-openai 0.9.4
    │   ├── h2 0.3.16
    │   │   ├── reqwest 0.11.14
    │   │   └── hyper 0.14.24
    │   │       ├── reqwest 0.11.14
    │   │       └── hyper-tls 0.5.0
    │   │           └── reqwest 0.11.14
    │   └── async-openai 0.9.4
    ├── tokio-stream 0.1.12
    │   ├── teloxide 0.12.2
    │   └── async-openai 0.9.4
    ├── tokio-native-tls 0.3.1
    │   ├── reqwest 0.11.14
    │   └── hyper-tls 0.5.0
    ├── teloxide-core 0.9.1
    ├── teloxide 0.12.2
    ├── telegpt 0.1.0
    ├── reqwest 0.11.14
    ├── hyper-tls 0.5.0
    ├── hyper 0.14.24
    ├── h2 0.3.16
    ├── backoff 0.4.0
    │   └── async-openai 0.9.4
    └── async-openai 0.9.4

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `SubjectAlternativeName` and `ExtendedKeyUsage::other` allow arbitrary file read
Date:      2023-03-24
ID:        RUSTSEC-2023-0023
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0023
Solution:  Upgrade to >=0.10.48
Dependency tree:
openssl 0.10.45
└── native-tls 0.2.11
    ├── tokio-native-tls 0.3.1
    │   ├── reqwest 0.11.14
    │   │   ├── teloxide-core 0.9.1
    │   │   │   └── teloxide 0.12.2
    │   │   │       └── telegpt 0.1.0
    │   │   ├── reqwest-eventsource 0.4.0
    │   │   │   └── async-openai 0.9.4
    │   │   │       └── telegpt 0.1.0
    │   │   └── async-openai 0.9.4
    │   └── hyper-tls 0.5.0
    │       └── reqwest 0.11.14
    ├── reqwest 0.11.14
    └── hyper-tls 0.5.0

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `X509NameBuilder::build` returned object is not thread safe
Date:      2023-03-24
ID:        RUSTSEC-2023-0022
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0022
Solution:  Upgrade to >=0.10.48

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `X509VerifyParamRef::set_host` buffer over-read
Date:      2023-06-20
ID:        RUSTSEC-2023-0044
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0044
Solution:  Upgrade to >=0.10.55

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `X509Extension::new` and `X509Extension::new_nid` null pointer dereference
Date:      2023-03-24
ID:        RUSTSEC-2023-0024
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0024
Solution:  Upgrade to >=0.10.48

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── env_logger 0.7.1
    └── pretty_env_logger 0.4.0
        └── telegpt 0.1.0

Crate:     openssl
Version:   0.10.45
Warning:   unsound
Title:     `openssl` `X509StoreRef::objects` is unsound
Date:      2023-11-23
ID:        RUSTSEC-2023-0072
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0072

Crate:     ahash
Version:   0.7.6
Warning:   yanked
Dependency tree:
ahash 0.7.6
└── hashbrown 0.12.3
    ├── indexmap 1.9.2
    │   └── h2 0.3.16
    │       ├── reqwest 0.11.14
    │       │   ├── teloxide-core 0.9.1
    │       │   │   └── teloxide 0.12.2
    │       │   │       └── telegpt 0.1.0
    │       │   ├── reqwest-eventsource 0.4.0
    │       │   │   └── async-openai 0.9.4
    │       │   │       └── telegpt 0.1.0
    │       │   └── async-openai 0.9.4
    │       └── hyper 0.14.24
    │           ├── reqwest 0.11.14
    │           └── hyper-tls 0.5.0
    │               └── reqwest 0.11.14
    └── hashlink 0.8.1
        └── rusqlite 0.28.0
            └── telegpt 0.1.0

Crate:     hermit-abi
Version:   0.3.1
Warning:   yanked
Dependency tree:
hermit-abi 0.3.1
└── is-terminal 0.4.4
    ├── env_logger 0.10.0
    │   └── telegpt 0.1.0
    └── clap 4.1.8
        └── telegpt 0.1.0

warning: 4 allowed warnings found

t4nature added 4 commits March 30, 2024 18:58
@t4nature
Fix incorrect length expectation in test_code
7c09b62 
This commit corrects the expected length of the code snippet in the test_code function from 19 to 18. The previous length expectation of 19 did not accurately reflect the number of characters in the given code snippet, leading to test failures. The adjustment ensures that the test accurately tests for the correct length of the code snippet, addressing the issue where the test would fail due to an off-by-one error in the length expectation.
@t4nature
Update h2 to 0.3.24 to fix DoS vulnerability
70586b7 
This update addresses the denial of service (DoS) vulnerability identified in h2 versions up to 0.3.16, as reported in RUSTSEC-2024-0003 and RUSTSEC-2023-0034.
@t4nature
Update mio to 0.8.11 to resolve token deregistration issue
40510c8 
This commit upgrades the `mio` dependency from version 0.8.6 to 0.8.11 to fix a vulnerability where tokens for named pipes could be delivered even after deregistration, as detailed in RUSTSEC-2024-0019. Post-upgrade testing with `cargo test` confirms no regressions introduced.
@t4nature
Update openssl to 0.10.55 to address security vulnerabilities
5b481c9 
This commit updates the `openssl` crate from version 0.10.45 to 0.10.55, mitigating several security issues as reported in RUSTSEC advisories: RUSTSEC-2023-0023, RUSTSEC-2023-0022, RUSTSEC-2023-0044, and RUSTSEC-2023-0024. The addressed vulnerabilities range from arbitrary file read capabilities and thread safety issues to buffer over-reads and null pointer dereferences in various `openssl` functions. Post-update, `cargo test` was executed to check for immediate issues; however, comprehensive stability testing of the application remains pending.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@t4nature