From 6e46a23a9075c44db73107e78ff42e799a9a974f Mon Sep 17 00:00:00 2001 From: "Neal H. Walfield" Date: Fri, 19 May 2023 20:03:45 +0200 Subject: [PATCH] Upgrade to sequoia-openpgp 1.16.0, and buffered-reader 1.2.0. sequoia-openpgp and buffered-reader contains some vulnerabilities that an attacker can use to crash sequoia-openpgp or buffered-reader and consequently the application. Upgrade to fixed versions. --- Cargo.lock | 52 ++++++++++++++++++++++++++++++++++------------------ Cargo.toml | 2 +- 2 files changed, 35 insertions(+), 19 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 4e1bbdd..b4aeadf 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -177,6 +177,12 @@ version = "0.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" +[[package]] +name = "base64" +version = "0.21.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a4a4ddaa51a5bc52a6948f74c06d20aaaddb71924eab79b8c97a8c556e942d6a" + [[package]] name = "binascii" version = "0.1.4" @@ -185,9 +191,9 @@ checksum = "383d29d513d8764dcdc42ea295d979eb99c3c9f00607b3692cf68a431f7dca72" [[package]] name = "bindgen" -version = "0.57.0" +version = "0.63.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd4865004a46a0aafb2a0a5eb19d3c9fc46ee5f063a6cfc605c69ac9ecf5263d" +checksum = "36d860121800b2a9a94f9b5604b332d5cffb234ce17609ea479d723dbc9d3885" dependencies = [ "bitflags", "cexpr", @@ -200,6 +206,7 @@ dependencies = [ "regex", "rustc-hash", "shlex", + "syn 1.0.105", ] [[package]] @@ -244,10 +251,11 @@ dependencies = [ [[package]] name = "buffered-reader" -version = "1.1.3" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e9f82920285502602088677aeb65df0909b39c347b38565e553ba0363c242f65" +checksum = "66d3bea5bcc3ecc38fe5388e6bc35e6fe7bd665eb3ae9a44283e15b91ad3867d" dependencies = [ + "lazy_static", "libc", ] @@ -277,9 +285,9 @@ checksum = "e9f73505338f7d905b19d18738976aae232eb46b8efc15554ffc56deb5d9ebe4" [[package]] name = "cexpr" -version = "0.4.0" +version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f4aedb84272dbe89af497cf81375129abda4fc0a9e7c5d317498c15cc30c0d27" +checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766" dependencies = [ "nom", ] @@ -1589,6 +1597,12 @@ dependencies = [ "unicase 2.6.0", ] +[[package]] +name = "minimal-lexical" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a" + [[package]] name = "mio" version = "0.6.23" @@ -1715,21 +1729,22 @@ dependencies = [ [[package]] name = "nettle" -version = "7.2.0" +version = "7.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f5d193a809310369c5d16e45bc0a88cb27935edd5d3375bcfc2371b167694035" +checksum = "b9fdccf3eae7b161910d2daa2f0155ca35041322e8fe5c5f1f2c9d0b12356336" dependencies = [ "getrandom 0.2.8", "libc", "nettle-sys", "thiserror", + "typenum", ] [[package]] name = "nettle-sys" -version = "2.1.0" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b13b685c7883e3a32196ccf3ce594947ec37ace43d74e157de7ca03d3fe62d17" +checksum = "b5e81c347b9002da0b6b0c4060993c280e99eb14b42ecf65a2fefcd6eb3d8a73" dependencies = [ "bindgen", "cc", @@ -1768,12 +1783,12 @@ dependencies = [ [[package]] name = "nom" -version = "5.1.2" +version = "7.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffb4262d26ed83a1c0a33a38fe2bb15797329c85770da05e6b828ddb782627af" +checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a" dependencies = [ "memchr", - "version_check 0.9.4", + "minimal-lexical", ] [[package]] @@ -2622,12 +2637,12 @@ checksum = "e25dfac463d778e353db5be2449d1cce89bd6fd23c9f1ea21310ce6e5a1b29c4" [[package]] name = "sequoia-openpgp" -version = "1.11.0" +version = "1.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "50d9033c24b1d41fdfab2bbde66005d324625b4abee2af2aea6135bdd9543ff7" +checksum = "30efff3f9930e85b4284e76bbdad741f36412dfb1e370efd0de5866ae1a11dfc" dependencies = [ "anyhow", - "base64 0.13.1", + "base64 0.21.0", "buffered-reader", "chrono", "dyn-clone", @@ -2639,6 +2654,7 @@ dependencies = [ "libc", "memsec", "nettle", + "once_cell", "rand 0.7.3", "regex", "regex-syntax", @@ -2721,9 +2737,9 @@ dependencies = [ [[package]] name = "shlex" -version = "0.1.1" +version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7fdf1b9db47230893d76faad238fd6097fd6d6a9245cd7a4d90dbd639536bbd2" +checksum = "43b2853a4d09f215c24cc5489c992ce46052d359b5109343cbafbf26bc62f8a3" [[package]] name = "signal-hook-registry" diff --git a/Cargo.toml b/Cargo.toml index b73fb64..ff855e4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,7 +19,7 @@ anyhow = "1" rocket = { version = "0.5.0-rc.2", features = [ "json" ] } rocket_dyn_templates = { version = "0.1.0-rc.2", features = ["handlebars"] } rocket_codegen = "0.5.0-rc.2" -sequoia-openpgp = { version = "1", default-features = false, features = ["crypto-nettle"] } +sequoia-openpgp = { version = "1.16.0", default-features = false, features = ["crypto-nettle"] } multipart = "0" serde = "1.0" serde_derive = "1.0"