Bug 2214198

Summary: RUSTSEC-2023-0042: ouroboros < 0.16 is unsound
Product: [Fedora] Fedora Reporter: Fabio Valentini <decathorpe>
Component: rust-ouroborosAssignee: Christian Heimes <cheimes>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 39CC: cheimes, rust-sig
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2214229, 2214227, 2214228    
Bug Blocks:    

Description Fabio Valentini 2023-06-12 09:39:33 UTC
c.f. https://rustsec.org/advisories/RUSTSEC-2023-0042.html

The ouroboros crate is affected by soundness issues, which could result in invalid code being generated in future versions of Rust. The upstream project recommends to migrate to the self_cell crate:

https://github.com/joshua-maros/ouroboros/issues/88

Affected packages in Fedora:

- mercurial
- python-cryptography
- rust-zoxide

Comment 1 Christian Heimes 2023-06-12 12:32:24 UTC
Upstream PyCA cryptography has switched to self_cell two hours ago, https://github.com/pyca/cryptography/pull/8800

Comment 2 Fabio Valentini 2023-07-30 17:06:11 UTC
The RUSTSEC advisory for ouroboros was updated:

Upstream project has continued development, and recent versions (>= 0.16) should no longer suffer from soundness issues. I've updated the bug title accordingly (since ouroboros in Fedora is stuck at a version that's still affected).

However, mercurial has since switched to self_cell, so it is no longer affected.

That only leaves zoxide and python-cryptography (looks like the migration to self_cell was only merged to main / future version 42, but not the 41.0.x branch, and Fedora is stuck on the v40 branch anyway).

Comment 3 Christian Heimes 2023-08-14 08:12:49 UTC
ouroboros 0.17.2 is now available in Rawhide.

I have patched python-cryptography 41.0.3 to use ouroboros 0.17. The code builds and all tests are passing.

The ouroboros update also unblocks update of zoxide to latest version 0.9.2.

Comment 4 Fedora Release Engineering 2023-08-16 07:14:46 UTC
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.