Bug 2167220

Summary: ikona does not honor standard Fedora compiler flags for Rust, does not declare bundled libraries, bundles ancient versions with known security vulnerabilities
Product: [Fedora] Fedora Reporter: Fabio Valentini <decathorpe>
Component: ikonaAssignee: Jan Blackquill (Carson Black) <uhhadd>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 39CC: uhhadd
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fabio Valentini 2023-02-05 21:27:16 UTC
Currently, ikona is built without default Fedora compiler flags for Rust code (i.e. "-Copt-level=3 -Cdebuginfo=2 -Ccodegen-units=1 -Clink-arg=-Wl,-z,relro -Clink-arg=-Wl,-z,now --cap-lints=warn" on Fedora 37) - essentially, the code is not fully optimized, and does not contain debuginfo or frame pointers.

RUSTFLAGS are the standard environment variable for setting compiler flags for rustc (similar to CFLAGS / CXXFLAGS / LDFLAGS), but they aren't set by default (and not yet included in %set_build_flags, but I've reported an RFE about this).

It appears that the ikona build system hard-codes just `--release` flag for cargo, which only implies `-Copt-level=2`. This results in ikona not having valid debug symbols for its Rust code, its code not being optimized to the same level as other Rust code in Fedora, and it not respecting other flags for better code quality and / or debuggability.

A possible solution might be to export RUSTFLAGS, assuming that the build process honors (and does not override) these settings.

I also noticed that ikona bundles lots of ancient (!) Rust crates, and a three-year-old copy of librsvg2, which strikes me as ... unsafe for an application that possibly handles untrusted input. (The bundled dependencies are also not declared in the .spec file, which also results in it not being included in reports for security issues in that bundled stuff. Oh Well.)

A scan of the vendored crates (with "cargo audit") shows that they are vulnerable to several security issues (most of them "high" or "critical"):

chrono 0.4.10: RUSTSEC-2020-0159 / CVE-2020-26235
crossbeam-deque 0.7.2: RUSTSEC-2021-0093 / CVE-2021-32810
futures-task 0.3.4: RUSTSEC-2020-0060 / CVE-2020-35906 and RUSTSEC-2020-0061 / CVE-2020-35907
futures-util 0.3.4: RUSTSEC-2020-0059 / CVE-2020-35905
generic-array 0.13.2: RUSTSEC-2020-0146 / CVE-2020-36465
nalgebra 0.19.0: RUSTSEC-2021-0070 / CVE-2021-38190
regex 1.3.4: RUSTSEC-2022-0013 / CVE-2022-24713
smallvec 1.2.0: RUSTSEC-2021-0003 / CVE-2021-25900
thread_local 1.0.1: RUSTSEC-2022-0006
time 0.1.42: RUSTSEC-2020-0071 / CVE-2020-26235
yaml_rust 0.3.5: RUSTSEC-2018-0006 / CVE-2018-20993

Comment 1 Ben Cotton 2023-02-07 15:08:24 UTC
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.

Comment 2 Fedora Release Engineering 2023-08-16 07:06:37 UTC
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.