Vulnerable rust crates in use

[jcsec-security]

Note

This issue has been submitted on behalf of the CosmicValidator and Mandragora teams, participants of the Namada Shielded Expedition.

---

Namada 0.31.9 relies on several software components with security vulnerabilities. Although some are probably well-known, others include security issues that have recently been made public in 2024. The Namada team may not have direct control over all the affected crates, but it could prompt the maintainers to update their dependencies.

The below vulnerabilities can be partially or fully addressed by the Namada team:

• eyre v0.6.9

  • RUSTSEC-2024-0021: Parts of Report are dropped as the wrong type during downcast
  • Solution: Upgrade to >=0.6.12
  • Affects: namada_tests 0.31.9, namada_merkle_tree 0.31.9, namada_ethereum_bridge 0.31.9, namada_core 0.31.9, namada_apps 0.31.9, namada 0.31.9,

• parity-wasm v0.45.0

  • RUSTSEC-2022-0061: Crate parity-wasm deprecated by the author
  • Solution: switch to a maintained crate.
  • Affects: namada 0.31.9

• parse_duration v2.1.1

  • RUSTSEC-2021-0041: Denial of service through parsing payloads with too big exponent
  • Solution: No fixed upgrade is available. A wrapper around the affected library to error upon big exponents could be a feasible remediation.
  • Affects: namada_sdk 0.31.9, namada 0.31.9

The following vulnerable crates are part of Namada's dependency tree; therefore, additional teams should be prompted to make the required changes to ensure adequate supply chain security.

• h2 v0.3.22

  • RUSTSEC-2024-0003: Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
  • Solution: Upgrade to ^0.3.24 OR >=0.4.2

• libgit2-sys v0.16.1+1.7.1

  • Severity 8.6 (high) RUSTSEC-2024-0013: Memory corruption, denial of service, and arbitrary code execution in libgit2
  • Solution: Upgrade to >=0.16.2

• serde-json-wasm v1.0.0

  • RUSTSEC-2024-0012: Stack overflow during recursive JSON parsing
  • Solution: Upgrade to >=1.0.1 OR >=0.5.2, <1.0.0

• mio v0.8.10

  • RUSTSEC-2024-0019: Tokens for named pipes may be delivered after deregistration
  • Solution: Upgrade to >=0.8.11

• shlex v1.2.0

  • RUSTSEC-2024-0006: Multiple issues involving quote API
  • Solution: Upgrade to >=1.3.0

• crossbeam-utils v0.7.2

  • RUSTSEC-2022-0041: Unsoundness of AtomicCell<64> arithmetics on 32-bit targets that support Atomic64

• ibsecp256k1 v0.3.5

  • RUSTSEC-2021-0076: libsecp256k1 allows overflowing signatures
  • Solution: Upgrade to >=0.5.0

• serde_cbor v0.11.2

  • RUSTSEC-2021-0127: serde_cbor is unmaintained

• mach v0.3.2

  • RUSTSEC-2020-0168: mach is unmaintained

• serde_yaml v0.7.5

  • RUSTSEC-2018-0005: Uncontrolled recursion leads to abort in deserialization
  • Solution: Upgrade to >=0.8.4

Tip

To get the complete dependency tree of each vulnerable crate, run cargo audit

[quangtuyen88]

Bro there is many ppl report same you and this is duplicated with ticket from team.
This is duplicated with #1023 and
#2860 (comment)

[quangtuyen88]

This issue has been submitted on behalf of the [CosmicValidator](https://x.com/CosmicValidator) and [Mandragora](https://twitter.com/mandragora_spem) teams, participants of the Namada Shielded Expedition.

also unless they have another ticket older than #1023 all report after SE is duplicated.
I'm too tired to see ppl report same issue here try to get same point :))..

[jcsec-security]

You are right! looks like a dup, closing it now