Deps.rs

webc 7.1.0

[![dependency status](https://deps.rs/crate/webc/7.1.0/status.svg)](https://deps.rs/crate/webc/7.1.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate webc

Dependencies

(26 total, 3 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^1.01.0.98up to date
 base64^0.22.00.22.1up to date
 bytes^11.10.1up to date
 cfg-if^1.0.01.0.0up to date
 ciborium^0.2.20.2.2up to date
 document-features^0.2.80.2.11up to date
 flate2^11.1.1up to date
 ignore^0.40.4.23up to date
 indexmap^22.9.0up to date
 leb128^0.2.10.2.5up to date
 lexical-sort^0.3.10.3.1up to date
 libc^0.2.1530.2.172up to date
 once_cell^11.21.3up to date
 path-clean^1.01.0.1up to date
 rand^0.8.50.9.1out of date
 semver^1.0.181.0.26up to date
 sequoia-openpgp ⚠️^1.8.02.0.0out of date
 serde^11.0.219up to date
 serde_json^11.0.140up to date
 sha2^0.10.20.10.9up to date
 shared-buffer^0.1.20.1.4up to date
 tar^0.4.390.4.44up to date
 tempfile^3.3.03.20.0up to date
 thiserror^12.0.12out of date
 toml^0.80.8.22up to date
 url^2.2.22.5.4up to date

Dev dependencies

(6 total, 1 outdated)

CrateRequiredLatestStatus
 hexdump^0.1.10.1.2up to date
 insta^11.43.1up to date
 pretty_assertions^1.2.11.4.1up to date
 regex^1.9.11.11.1up to date
 tempfile^3.3.03.20.0up to date
 ureq^2.7.13.0.11out of date

Security Vulnerabilities

sequoia-openpgp: Low severity (DoS) vulnerability in sequoia-openpgp

RUSTSEC-2024-0345

There is a denial-of-service vulnerability in sequoia-openpgp, our crate providing a low-level interface to our OpenPGP implementation. When triggered, the process will enter an infinite loop.

Many thanks to Andrew Gallagher for disclosing the issue to us.

Impact

Any software directly or indirectly using the interface sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all software using the sequoia_cert_store crate.

Details

The RawCertParser does not advance the input stream when encountering unsupported cert (primary key) versions, resulting in an infinite loop.

The fix introduces a new raw-cert-specific cert::raw::Error::UnuspportedCert.

Affected software

  • sequoia-openpgp 1.13.0
  • sequoia-openpgp 1.14.0
  • sequoia-openpgp 1.15.0
  • sequoia-openpgp 1.16.0
  • sequoia-openpgp 1.17.0
  • sequoia-openpgp 1.18.0
  • sequoia-openpgp 1.19.0
  • sequoia-openpgp 1.20.0
  • Any software built against a vulnerable version of sequoia-openpgp which is directly or indirectly using the interface sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all software using the sequoia_cert_store crate.