Skip to content

Got "security vulnerability detected" in ci with 0.5.0 branch #303

Description

@teawater

#301

info: the active toolchain `1.77.0-x86_64-unknown-linux-musl` has been installed
info: it's active because: overridden by '/github/workspace/rust-toolchain.toml'
error[vulnerability]: Crash due to uncontrolled recursion in protobuf crate
   ┌─ /github/workspace/Cargo.lock:[34](https://github.com/containerd/ttrpc-rust/actions/runs/15840230092/job/44651405097?pr=301#step:4:35):1
   │
34 │ protobuf 2.28.0 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2024-04[37](https://github.com/containerd/ttrpc-rust/actions/runs/15840230092/job/44651405097?pr=301#step:4:38)
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0437
   ├ Affected version of this crate did not properly parse unknown fields when parsing a user-supplied input.
     
     This allows an attacker to cause a stack overflow when parsing the mssage on untrusted data.
   ├ Announcement: https://github.com/stepancheg/rust-protobuf/issues/749
   ├ Solution: Upgrade to >=3.7.2 (try `cargo update -p protobuf`)
   ├ protobuf v2.28.0
     ├── protobuf-codegen v2.28.0
     │   └── protobuf-codegen-pure v2.28.0
     │       └── (build) ttrpc v0.5.9
     ├── protobuf-codegen-pure v2.28.0 (*)
     └── ttrpc v0.5.9 (*)

advisories FAILED

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions