Deps.rs

matrix-sdk-qrcode 0.4.0

[![dependency status](https://deps.rs/crate/matrix-sdk-qrcode/0.4.0/status.svg)](https://deps.rs/crate/matrix-sdk-qrcode/0.4.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate matrix-sdk-qrcode

Dependencies

(6 total, 5 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 base64^0.13.00.22.1out of date
 byteorder^1.4.31.5.0up to date
 qrcode^0.12.00.14.1out of date
 ruma-common^0.10.00.15.2out of date
 thiserror^1.0.302.0.12out of date
 vodozemac ⚠️^0.3.00.9.0out of date

Dev dependencies

(2 total, 2 outdated)

CrateRequiredLatestStatus
 image^0.23.00.25.6out of date
 qrcode^0.12.00.14.1out of date

Security Vulnerabilities

vodozemac: Usage of non-constant time base64 decoder could lead to leakage of secret key material

RUSTSEC-2024-0354

Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and PkDecryption Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack.

Impact

The use of a non-constant time base64 implementation might allow an attacker to observe timing variations in the encoding and decoding operations of the secret key material. This could potentially provide insights into the underlying secret key material.

The impact of this vulnerability is considered low because exploiting the attacker is required to have access to high precision timing measurements, as well as repeated access to the base64 encoding or decoding processes. Additionally, the estimated leakage amount is bounded and low according to the referenced paper[1].