How do you deal with vulnerabilities in crates which are way upstream?

vronin · September 23, 2022, 12:03am

Hello,

GitHub has a nice feature(dependabot) to notify about vulnerabilities in crates which you use. I usually like to be proactive and take care of that.

However, I stumbled on the issues that sometimes the vulnerability is way-way upstream.

For example, a critical vulnerability in traitobject exist (NVD - CVE-2020-35881). We don't use it directly, but rather we got it via following dependency chain:

logsrs->typemap->unsafe-any->traitobject.

What do you do in such case? Do you fork it/fix it and and do [patch] to override dependency? Per my understanding it should work.

However, I see only 3 (public) forks of traitobject for 2.5M of logrs downloads which leads me to question whether other people do it like that.

Regards,
Victor

kornel · September 23, 2022, 12:31am

If the original maintainer doesn't do anything about it, then you'll need to fork, and then bug users of the vulnerable crate to switch to the fork (or fork recursively).

[patch] may be okay as a temporary solution locally, but for crates-io crates you'll need actual dependencies updated.

system · December 22, 2022, 12:31am

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
Supply chain attack scenarios	9	1513	July 7, 2021
Bug still unresolved since 2015 (cve-rs)?!	40	2429	June 9, 2024
Security advisories for April 2020: rustqlite, os_str_bytes, flatbuffers announcements	6	813	August 11, 2020
Security advisory for crates.io, 2017-09-19 announcements	9	13042	July 3, 2022
How to work with a forked dependency? help	9	5750	January 12, 2023

How do you deal with vulnerabilities in crates which are way upstream?

Related topics