-
-
Notifications
You must be signed in to change notification settings - Fork 780
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cargo audit shows a lot of security issues #1952
Comments
Thanks for sharing! I don't believe that any of these pose actual exploitable security issues in wezterm, in the sense that wezterm doesn't run with elevated privileges and thus doesn't provide an avenue for unexpected privilege escalation. Some of the issues mentioned are potential crash bugs in some circumstances that are unlikely to trigger in practice with their use in wezterm; some of the functions in the listed crates are not used in wezterm. The xcb crate does have unsoundness issues with its string processing; wezterm already bypasses that unsound string implementation and handles those problematic cases for itself. In addition xcb 1.0 radically changes the API which makes upgrading a non-trivial effort. While I'm not going to ignore these things, I don't think they are P0 drop-everything issues. |
I have the same belief as well! but yeah, |
The chrono issue has no resolution yet |
The former is unmaintained and is flagging in cargo audit for its indirect deps. The starship folks have forked it; let's use that. refs: svartalf/rust-battery#92 refs: #1952
Was a bit fiddly. Eliminated the xcb_util crate refs: #1952
This cleans up the `cargo audit` output on linux because the `clipboard` crate (which hasn't been updated in 3 years) depends on xcb=0.8.2 which is flagged by cargo audit. We don't use `clipboard` on any platform except macos This commit switches to the `clipboard_macos` crate; that appears to use a copy and paste of the macos specific code from the `clipboard` crate, so this shouldn't have any change in functionality. refs: #1952
I've tidied up the dependency graph to prune most of the flagged items; what remains is the |
@wez oh dont worry! also https://build.opensuse.org/package/show/openSUSE:Factory/wezterm it is now in Factory! hooray! |
Great! Would you mind submitting a PR to wezterm's install instructions to show users how to install that on SuSE? |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
What Operating System(s) are you seeing this problem on?
Linux X11, Linux Wayland
WezTerm version
20220408-101518-b908e2dd
Did you try the latest nightly build to see if the issue is better (or worse!) than your current version?
No, and I'll explain why below
Describe the bug
I am packaging wezterm for openSUSE. The openSUSE Build Service uses cargo audit to check security issues of the crates.
So I ran
cargo audit --json | jq '.["vulnerabilities"]["list"][]' > audit.txt
so I can send you the file.audit.txt
To Reproduce
No response
Configuration
N/A
Expected Behavior
Little to none security issues shown from cargo audit
Logs
N/A
Anything else?
No response
The text was updated successfully, but these errors were encountered: