Deps.rs

EmbarkStudios / buildkite-jobify

[![dependency status](https://deps.rs/repo/github/EmbarkStudios/buildkite-jobify/status.svg)](https://deps.rs/repo/github/EmbarkStudios/buildkite-jobify)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate buildkite-jobify

Dependencies

(26 total, 9 outdated, 3 possibly insecure)

CrateRequiredLatestStatus
 anyhow^1.01.0.98up to date
 app_dirs2^2.32.5.5up to date
 base64^0.130.22.1out of date
 bytes^1.01.10.1up to date
 camino^1.01.1.9up to date
 clap^3.24.5.37out of date
 crossbeam^0.80.8.4up to date
 flate2^1.01.1.1up to date
 futures^0.30.3.31up to date
 graphql_client^0.110.14.0out of date
 http^0.21.3.1out of date
 lru_time_cache^0.110.11.11up to date
 openssl ⚠️^0.100.10.72maybe insecure
 reqwest^0.110.12.15out of date
 serde^1.01.0.219up to date
 serde_json^1.01.0.140up to date
 serde_yaml^0.90.9.34+deprecatedup to date
 tar ⚠️^0.40.4.44maybe insecure
 toml^0.50.8.22out of date
 tame-oauth^0.70.10.0out of date
 tracing^0.10.1.41up to date
 tracing-subscriber^0.30.3.19up to date
 twox-hash^1.62.1.0out of date
 uuid^1.11.16.0up to date
 tokio ⚠️^1.01.45.0maybe insecure
 k8s-openapi^0.150.24.0out of date

Security Vulnerabilities

tar: Links in archive can create arbitrary directories

RUSTSEC-2021-0080

When unpacking a tarball that contains a symlink the tar crate may create directories outside of the directory it's supposed to unpack into.

The function errors when it's trying to create a file, but the folders are already created at this point.

use std::{io, io::Result};
use tar::{Archive, Builder, EntryType, Header};

fn main() -> Result<()> {
    let mut buf = Vec::new();

    {
        let mut builder = Builder::new(&mut buf);

        // symlink: parent -> ..
        let mut header = Header::new_gnu();
        header.set_path("symlink")?;
        header.set_link_name("..")?;
        header.set_entry_type(EntryType::Symlink);
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        // file: symlink/exploit/foo/bar
        let mut header = Header::new_gnu();
        header.set_path("symlink/exploit/foo/bar")?;
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        builder.finish()?;
    };

    Archive::new(&*buf).unpack("demo")
}

This has been fixed in https://github.com/alexcrichton/tar-rs/pull/259 and is published as tar 0.4.36. Thanks to Martin Michaelis (@mgjm) for discovering and reporting this, and Nikhil Benesch (@benesch) for the fix!

tokio: reject_remote_clients Configuration corruption

RUSTSEC-2023-0001

On Windows, configuring a named pipe server with pipe_mode will force ServerOptions::reject_remote_clients as false.

This drops any intended explicit configuration for the reject_remote_clients that may have been set as true previously.

The default setting of reject_remote_clients is normally true meaning the default is also overridden as false.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);

openssl: Use-After-Free in `Md::fetch` and `Cipher::fetch`

RUSTSEC-2025-0022

When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop's behavior).

The maintainers thank quitbug for reporting this vulnerability to us.