extern/nushell
1
0
Fork 1
mirror of https://github.com/nushell/nushell.git synced 2025-03-13 15:08:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: security_audit, bump ring from 0.17.8 to 0.17.13 (#15263)

Browse Source 
Fixes this:

<div class="Box p-3 markdown-body f5 mb-4">
          <h2 dir="auto">Vulnerabilities</h2>
<h3 dir="auto"><a
href="https://rustsec.org/advisories/RUSTSEC-2025-0009.html"
rel="nofollow">RUSTSEC-2025-0009</a></h3>
<blockquote>
<p dir="auto">Some AES functions may panic when overflow checking is
enabled.</p>
</blockquote>
<markdown-accessiblity-table data-catalyst=""><table role="table">
<thead>
<tr>
<th>Details</th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>Package</td>
<td><code class="notranslate">ring</code></td>
</tr>
<tr>
<td>Version</td>
<td><code class="notranslate">0.17.8</code></td>
</tr>
<tr>
<td>URL</td>
<td><a
href="https://github.com/briansmith/ring/blob/main/RELEASES.md#version-01712-2025-03-05">https://github.com/briansmith/ring/blob/main/RELEASES.md#version-01712-2025-03-05</a></td>
</tr>
<tr>
<td>Date</td>
<td>2025-03-06</td>
</tr>
<tr>
<td>Patched versions</td>
<td><code class="notranslate">&gt;=0.17.12</code></td>
</tr>
</tbody>
</table></markdown-accessiblity-table>
<p dir="auto"><code
class="notranslate">ring::aead::quic::HeaderProtectionKey::new_mask()</code>
may panic when overflow<br>
checking is enabled. In the QUIC protocol, an attacker can induce this
panic by<br>
sending a specially-crafted packet. Even unintentionally it is likely to
occur<br>
in 1 out of every 2**32 packets sent and/or received.</p>
<p dir="auto">On 64-bit targets operations using <code
class="notranslate">ring::aead::{AES_128_GCM, AES_256_GCM}</code>
may<br>
panic when overflow checking is enabled, when encrypting/decrypting
approximately<br>
68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk.
Protocols<br>
like TLS and SSH are not affected by this because those protocols break
large<br>
amounts of data into small chunks. Similarly, most applications will
not<br>
attempt to encrypt/decrypt 64GB of data in one chunk.</p>
<p dir="auto">Overflow checking is not enabled in release mode by
default, but<br>
<code class="notranslate">RUSTFLAGS=&amp;quot;-C
overflow-checks&amp;quot;</code> or <code
class="notranslate">overflow-checks = true</code> in the Cargo.toml<br>
profile can override this. Overflow checking is usually enabled by
default in<br>
debug mode.</p>
        </div>
This commit is contained in:
zc he 2025-03-07 22:55:57 +08:00 committed by GitHub
parent 7d17c2eb5e
commit d122bc3d89
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 4 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Cargo.lock generated
View File

@ -893,9 +893,9 @@ dependencies = [
[[package]]
name = "cc"
version = "1.2.3"
version = "1.2.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "27f657647bcff5394bf56c7317665bbf790a137a50eaaa5c6bfbb9e27a518f2d"
checksum = "be714c154be609ec7f5dad223a33bf1482fff90472de28f7362806e6d4832b8c"
dependencies = [
"jobserver",
"libc",
@ -5989,15 +5989,14 @@ dependencies = [
[[package]]
name = "ring"
version = "0.17.8"
version = "0.17.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d"
checksum = "70ac5d832aa16abd7d1def883a8545280c20a60f523a370aa3a9617c2b8550ee"
dependencies = [
"cc",
"cfg-if",
"getrandom",
"libc",
"spin",
"untrusted",
"windows-sys 0.52.0",
]
@ -6739,12 +6738,6 @@ dependencies = [
"windows-sys 0.52.0",
]
[[package]]
name = "spin"
version = "0.9.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
[[package]]
name = "sqlparser"
version = "0.53.0"