Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

atty dependency has security issue #11416

Closed
cemoktra opened this issue Nov 24, 2022 · 4 comments · Fixed by #11420
Closed

atty dependency has security issue #11416

cemoktra opened this issue Nov 24, 2022 · 4 comments · Fixed by #11420
Labels
A-security Area: security C-bug Category: bug O-windows OS: Windows

Comments

@cemoktra
Copy link

cemoktra commented Nov 24, 2022
edited
Loading

Problem

The dependency to atty has a security issue, also atty seems to be unmaintained.

https://rustsec.org/advisories/RUSTSEC-2021-0145

Steps

No response

Possible Solution(s)

Use https://crates.io/crates/is-terminal instead

Notes

No response

Version

0.66.0
@cemoktra cemoktra added the C-bug Category: bug label Nov 24, 2022
@cemoktra cemoktra changed the title atty dependency yanked atty dependency has security issue Nov 24, 2022
epage added a commit to epage/cargo that referenced this issue Nov 24, 2022
@epage
chore: Upgrade to env_logger
ead6e24 
This removes one path to `atty`.

Others:
- clap: fixed in 4.0.27
- pretty-env-logger: seanmonstar/pretty-env-logger#52 needs to be resolved first
- snapbox: this will be fixed soonish but is also only a test dependency
- direct dependency

This is part of rust-lang#11416
@epage epage mentioned this issue Nov 24, 2022
Merged
bors added a commit that referenced this issue Nov 24, 2022
@bors
Auto merge of #11417 - epage:logger, r=weihanglo
ef93600 
chore: Upgrade to env_logger

This removes one path to `atty`.

Others:
- clap: fixed in 4.0.27
- pretty-env-logger: seanmonstar/pretty-env-logger#52 needs to be resolved first
- snapbox: this will be fixed soonish but is also only a test dependency
- direct dependency

This is part of #11416
@ChrisDenton
Copy link
Member

ChrisDenton commented Nov 24, 2022
edited
Loading

As noted in the advisory, official releases of Cargo aren't affected by this particular soundness issue because they don't use an allocator that aligns to less than 8 bytes.

However the maintenance issue is still a concern.

@epage
Copy link
Contributor

epage commented Nov 24, 2022

While cargo-the-bin isn't affected, cargo-the-lib would be and there are people who link against cargod

@weihanglo weihanglo added O-windows OS: Windows A-security Area: security labels Nov 25, 2022
epage added a commit to epage/cargo that referenced this issue Nov 25, 2022
@epage
chore: Upgrade to env_logger
5a3bf71 
This removes one path to `atty`.

Others:
- clap: fixed in 4.0.27
- pretty-env-logger: seanmonstar/pretty-env-logger#52 needs to be resolved first
- snapbox: this will be fixed soonish but is also only a test dependency
- direct dependency

This is part of rust-lang#11416
bors added a commit that referenced this issue Nov 25, 2022
@bors
Auto merge of #11417 - epage:logger, r=weihanglo
ee755e7 
chore: Upgrade to env_logger

This removes one path to `atty`.

Others:
- clap: fixed in 4.0.27
- pretty-env-logger: seanmonstar/pretty-env-logger#52 needs to be resolved first
- snapbox: this will be fixed soonish but is also only a test dependency
- direct dependency

This is part of #11416
@weihanglo weihanglo mentioned this issue Nov 25, 2022
Merged
@bors bors closed this as completed in e027c4b Nov 25, 2022
@cemoktra
Copy link
Author

Great is this coming to next rust version or earlier?

@Muscraft
Copy link
Member

This will be in 1.67.0, which should release on January 26 2023 UTC.

The cutoff for 1.66.0 was on October 28 2022 UTC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-security Area: security C-bug Category: bug O-windows OS: Windows
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Move off atty to resolve soundness issue epage/cargo
5 participants
@epage @ChrisDenton @weihanglo @cemoktra @Muscraft