Skip to content
This repository has been archived by the owner on Nov 15, 2023. It is now read-only.

Bump linregress due to security vulnerability #9262

Merged
merged 1 commit into from
Jul 5, 2021
Merged

Bump linregress due to security vulnerability #9262

merged 1 commit into from
Jul 5, 2021

Conversation

trevor-crypto
Copy link
Contributor

https://rustsec.org/advisories/RUSTSEC-2021-0070

Here is the cargo deny failure:

    = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0070
    = The `Deserialize` implementation for `VecStorage` did not maintain the invariant that the number of elements must equal `nrows * ncols`. Deserialization of specially crafted inputs could allow memory access beyond allocation of the vector.
      
      This flaw was introduced in v0.11.0 ([`086e6e`](https://github.com/dimforge/nalgebra/commit/086e6e719f53fecba6dadad2e953a487976387f5)) due to the addition of an automatically derived implementation of `Deserialize` for `MatrixVec`. `MatrixVec` was later renamed to `VecStorage` in v0.16.13 ([`0f66403`](https://github.com/dimforge/nalgebra/commit/0f66403cbbe9eeac15cedd8a906c0d6a3d8841f2)) and continued to use the automatically derived implementation of `Deserialize`.
      
      This flaw was corrected in commit [`5bff536`](https://github.com/dimforge/nalgebra/commit/5bff5368bf38ddfa31416e4ae9897b163031a513) by returning an error during deserialization if the number of elements does not exactly match the expected size.
    = Announcement: https://github.com/dimforge/nalgebra/issues/883
    = Solution: Upgrade to >=0.27.1
    = nalgebra v0.26.2
      └── statrs v0.14.0
          └── linregress v0.4.2
              └── frame-benchmarking v3.1.0
                  └── pallet-balances v3.0.0

@cla-bot-2021
Copy link

cla-bot-2021 bot commented Jul 2, 2021

User @trevor-crypto, please sign the CLA here.

@trevor-crypto
Copy link
Contributor Author

I don't think I can add a label here, so can someone label this as "insubstantial" since it is only a dependency bump?

@coriolinus coriolinus added A2-insubstantial Pull request requires no code review (e.g., a sub-repository hash update). B0-silent Changes should not be mentioned in any release notes C1-low PR touches the given topic and has a low impact on builders. D3-trivial 🧸 PR contains trivial changes in a runtime directory that do not require an audit labels Jul 5, 2021
@bkchr bkchr merged commit 0d10a9d into paritytech:master Jul 5, 2021
@trevor-crypto trevor-crypto deleted the linregress-deny branch July 5, 2021 12:02
ordian added a commit that referenced this pull request Jul 5, 2021
@ordian
Merge branch 'master' into ao-bump-common
7160c16 
* master:
  Bump linregress due to security vulnerability (#9262)
  pallet macro: always generate storage info on pallet struct (#9246)
  Less duplication in test code (#9270)
  Add `Chilled` event to staking chill extrinsics (#9250)
dvdplm added a commit that referenced this pull request Jul 6, 2021
@dvdplm
Merge branch 'master' into dp-jsonrpsee-integration-2
3cb6181 
* master:
  fix staking version in genesis (#9280)
  fix storage info for decl_storage (#9274)
  Authority_discovery: expose assimilate_storage with GenesisBuild (#9279)
  Update CODEOWNERS (#9278)
  Remove in-tree `max-encoded-len` and use the new SCALE codec crate instead (#9163)
  bump a bunch of deps in parity-common (#9263)
  Bump linregress due to security vulnerability (#9262)
  pallet macro: always generate storage info on pallet struct (#9246)
  Less duplication in test code (#9270)
  Add `Chilled` event to staking chill extrinsics (#9250)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bkchr bkchr bkchr approved these changes

@coriolinus coriolinus coriolinus approved these changes

Assignees
No one assigned
Labels
A2-insubstantial Pull request requires no code review (e.g., a sub-repository hash update). B0-silent Changes should not be mentioned in any release notes C1-low PR touches the given topic and has a low impact on builders. D3-trivial 🧸 PR contains trivial changes in a runtime directory that do not require an audit
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@trevor-crypto @bkchr @coriolinus