From d122bc3d895d40adc0516f03b3d291cc45dbb76c Mon Sep 17 00:00:00 2001
From: zc he <blindfs19@gmail.com>
Date: Fri, 7 Mar 2025 22:55:57 +0800
Subject: [PATCH] fix: security_audit, bump ring from 0.17.8 to 0.17.13
 (#15263)

Fixes this:

<div class="Box p-3 markdown-body f5 mb-4">
          <h2 dir="auto">Vulnerabilities</h2>
<h3 dir="auto"><a
href="https://rustsec.org/advisories/RUSTSEC-2025-0009.html"
rel="nofollow">RUSTSEC-2025-0009</a></h3>
<blockquote>
<p dir="auto">Some AES functions may panic when overflow checking is
enabled.</p>
</blockquote>
<markdown-accessiblity-table data-catalyst=""><table role="table">
<thead>
<tr>
<th>Details</th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>Package</td>
<td><code class="notranslate">ring</code></td>
</tr>
<tr>
<td>Version</td>
<td><code class="notranslate">0.17.8</code></td>
</tr>
<tr>
<td>URL</td>
<td><a
href="https://github.com/briansmith/ring/blob/main/RELEASES.md#version-01712-2025-03-05">https://github.com/briansmith/ring/blob/main/RELEASES.md#version-01712-2025-03-05</a></td>
</tr>
<tr>
<td>Date</td>
<td>2025-03-06</td>
</tr>
<tr>
<td>Patched versions</td>
<td><code class="notranslate">&gt;=0.17.12</code></td>
</tr>
</tbody>
</table></markdown-accessiblity-table>
<p dir="auto"><code
class="notranslate">ring::aead::quic::HeaderProtectionKey::new_mask()</code>
may panic when overflow<br>
checking is enabled. In the QUIC protocol, an attacker can induce this
panic by<br>
sending a specially-crafted packet. Even unintentionally it is likely to
occur<br>
in 1 out of every 2**32 packets sent and/or received.</p>
<p dir="auto">On 64-bit targets operations using <code
class="notranslate">ring::aead::{AES_128_GCM, AES_256_GCM}</code>
may<br>
panic when overflow checking is enabled, when encrypting/decrypting
approximately<br>
68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk.
Protocols<br>
like TLS and SSH are not affected by this because those protocols break
large<br>
amounts of data into small chunks. Similarly, most applications will
not<br>
attempt to encrypt/decrypt 64GB of data in one chunk.</p>
<p dir="auto">Overflow checking is not enabled in release mode by
default, but<br>
<code class="notranslate">RUSTFLAGS=&amp;quot;-C
overflow-checks&amp;quot;</code> or <code
class="notranslate">overflow-checks = true</code> in the Cargo.toml<br>
profile can override this. Overflow checking is usually enabled by
default in<br>
debug mode.</p>
        </div>
---
 Cargo.lock | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 28431ecd72..8a536440a9 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -893,9 +893,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.2.3"
+version = "1.2.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "27f657647bcff5394bf56c7317665bbf790a137a50eaaa5c6bfbb9e27a518f2d"
+checksum = "be714c154be609ec7f5dad223a33bf1482fff90472de28f7362806e6d4832b8c"
 dependencies = [
  "jobserver",
  "libc",
@@ -5989,15 +5989,14 @@ dependencies = [
 
 [[package]]
 name = "ring"
-version = "0.17.8"
+version = "0.17.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d"
+checksum = "70ac5d832aa16abd7d1def883a8545280c20a60f523a370aa3a9617c2b8550ee"
 dependencies = [
  "cc",
  "cfg-if",
  "getrandom",
  "libc",
- "spin",
  "untrusted",
  "windows-sys 0.52.0",
 ]
@@ -6739,12 +6738,6 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
-[[package]]
-name = "spin"
-version = "0.9.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
-
 [[package]]
 name = "sqlparser"
 version = "0.53.0"