add memoffset issue

[RalfJung]

No description provided.

[RalfJung]

@tarcieri According to crossbeam-rs/crossbeam#401 (comment), someone got a warning for using version 0.2.1 even though I set unaffected_versions = ["< 0.3.0"]. Why is that?

[tarcieri]

@RalfJung I'm guessing because they were running an older version of cargo-audit which didn't handle unaffected_versions correctly. There were a few issues with it before like this:

https://github.com/RustSec/rustsec-crate/pull/53

Any semi-recent version (v0.6.0, v0.7.0) handles them correctly. I just tried to repro on v0.7.0 and could not.

[RalfJung]

@kingishb is that accurate? is your cargo-audit at version 0.5 or older?

[kingishb]

Hi @RalfJung @tarcieri here's everything relevant to what I reported. Let me know if there's any additional information I can provide.

Edit: sorry, yes, it does look like I am running version 0.5; I misread your first comment. That may or may not explain this one.

Versions

$ cargo --version
cargo 1.37.0-nightly (807429e1b 2019-06-11)
$ cargo audit --version
cargo-audit 0.5.2

Steps to reproduce

cargo init app && cd app
echo 'reqwest="0.9.18"' >> Cargo.toml
cargo build
cargo audit

I see

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 32 security advisories (from /Users/brianking/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (158 crate dependencies)
error: Vulnerable crates found!

ID:	 RUSTSEC-2019-0011
Crate:	 memoffset
Version: 0.2.1
Date:	 2019-07-16
URL:	 https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505461490
Title:	 Flaw in offset_of and span_of causes SIGILL, potential memory unsafety
Solution: upgrade to: >= 0.5.0

error: 1 vulnerability found!

For what it's worth, I also see the memoffset version in my Cargo.lock, so I am unsure if this is the right place.

[[package]]
name = "crossbeam-epoch"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
 "arrayvec 0.4.11 (registry+https://github.com/rust-lang/crates.io-index)",
 "cfg-if 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)",
 "crossbeam-utils 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)"
 "lazy_static 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "memoffset 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "scopeguard 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)",
]

[kingishb]

Update:
Using 0.7 reports no issues:

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 32 security advisories (from /Users/brianking/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (158 crate dependencies)
     Success No vulnerable packages found

Although do note the memoffset version 0.2.1 seems to register as a dependency of crossbeam-epoch still in Cargo.lock -- I'm not sure if that's a problem!

Edit: ^ now I understand what you meant -- that 0.2.1 is not covered under the security advisory, so this isn't a problem. Thanks for your help!

[RalfJung]

@kingishb okay, that explains it. You should update cargo-audit some day. :)

cargo install cargo-audit -f