Skip to content
Audit-Check

Bring no-std-check into the main workspace #104

Sign in to view logs

Bring no-std-check into the main workspace

Bring no-std-check into the main workspace #104

GitHub Actions / Security audit failed Feb 23, 2024 in 0s

Security advisories found

1 advisories, 4 unmaintained

Details

Vulnerabilities

RUSTSEC-2022-0093

Double Public Key Signing Function Oracle Attack on ed25519-dalek

Details
Package ed25519-dalek
Version 1.0.1
URL https://github.com/MystenLabs/ed25519-unsafe-libs
Date 2022-06-11
Patched versions >=2

Versions of ed25519-dalek prior to v2.0 model private and public keys as
separate types which can be assembled into a Keypair, and also provide APIs
for serializing and deserializing 64-byte private/public keypairs.

Such APIs and serializations are inherently unsafe as the public key is one of
the inputs used in the deterministic computation of the S part of the signature,
but not in the R value. An adversary could somehow use the signing function as
an oracle that allows arbitrary public keys as input can obtain two signatures
for the same message sharing the same R and only differ on the S part.

Unfortunately, when this happens, one can easily extract the private key.

Revised public APIs in v2.0 of ed25519-dalek do NOT allow a decoupled
private/public keypair as signing input, except as part of specially labeled
"hazmat" APIs which are clearly labeled as being dangerous if misused.

Warnings

RUSTSEC-2021-0139

ansi_term is Unmaintained

Details
Status unmaintained
Package ansi_term
Version 0.12.1
URL ogham/rust-ansi-term#72
Date 2021-08-18

The maintainer has advised that this crate is deprecated and will not receive any maintenance.

The crate does not seem to have much dependencies and may or may not be ok to use as-is.

Last release seems to have been three years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

Dependency Specific Migration(s)

RUSTSEC-2022-0080

parity-util-mem Unmaintained

Details
Status unmaintained
Package parity-util-mem
Version 0.10.2
URL paritytech/parity-common#696
Date 2022-11-30

The crate has been deprecated and will receive no updates with no repository source.

The crate has a warning surrounding it's use related to global allocator use that may lead to UB.

RUSTSEC-2022-0061

Crate parity-wasm deprecated by the author

Details
Status unmaintained
Package parity-wasm
Version 0.42.2
URL paritytech/parity-wasm#334
Date 2022-10-01

This PR explicitly deprecates parity-wasm.
The author recommends switching to wasm-tools.

RUSTSEC-2021-0127

serde_cbor is unmaintained

Details
Status unmaintained
Package serde_cbor
Version 0.11.2
URL https://github.com/pyfisch/cbor
Date 2021-08-15

The serde_cbor crate is unmaintained. The author has archived the github repository.

Alternatives proposed by the author:

View more details on GitHub Actions