2167220 – ikona does not honor standard Fedora compiler flags for Rust, does not declare bundled libraries, bundles ancient versions with known security vulnerabilities

Bug 2167220 - ikona does not honor standard Fedora compiler flags for Rust, does not declare bundled libraries, bundles ancient versions with known security vulnerabilities

Summary: ikona does not honor standard Fedora compiler flags for Rust, does not declar...

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ikona
Sub Component:
Version:	39
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jan Blackquill (Carson Black)
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-02-05 21:27 UTC by Fabio Valentini
Modified:	2023-08-16 07:06 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Fabio Valentini 2023-02-05 21:27:16 UTC

Currently, ikona is built without default Fedora compiler flags for Rust code (i.e. "-Copt-level=3 -Cdebuginfo=2 -Ccodegen-units=1 -Clink-arg=-Wl,-z,relro -Clink-arg=-Wl,-z,now --cap-lints=warn" on Fedora 37) - essentially, the code is not fully optimized, and does not contain debuginfo or frame pointers.

RUSTFLAGS are the standard environment variable for setting compiler flags for rustc (similar to CFLAGS / CXXFLAGS / LDFLAGS), but they aren't set by default (and not yet included in %set_build_flags, but I've reported an RFE about this).

It appears that the ikona build system hard-codes just `--release` flag for cargo, which only implies `-Copt-level=2`. This results in ikona not having valid debug symbols for its Rust code, its code not being optimized to the same level as other Rust code in Fedora, and it not respecting other flags for better code quality and / or debuggability.

A possible solution might be to export RUSTFLAGS, assuming that the build process honors (and does not override) these settings.

I also noticed that ikona bundles lots of ancient (!) Rust crates, and a three-year-old copy of librsvg2, which strikes me as ... unsafe for an application that possibly handles untrusted input. (The bundled dependencies are also not declared in the .spec file, which also results in it not being included in reports for security issues in that bundled stuff. Oh Well.)

A scan of the vendored crates (with "cargo audit") shows that they are vulnerable to several security issues (most of them "high" or "critical"):

chrono 0.4.10: RUSTSEC-2020-0159 / CVE-2020-26235
crossbeam-deque 0.7.2: RUSTSEC-2021-0093 / CVE-2021-32810
futures-task 0.3.4: RUSTSEC-2020-0060 / CVE-2020-35906 and RUSTSEC-2020-0061 / CVE-2020-35907
futures-util 0.3.4: RUSTSEC-2020-0059 / CVE-2020-35905
generic-array 0.13.2: RUSTSEC-2020-0146 / CVE-2020-36465
nalgebra 0.19.0: RUSTSEC-2021-0070 / CVE-2021-38190
regex 1.3.4: RUSTSEC-2022-0013 / CVE-2022-24713
smallvec 1.2.0: RUSTSEC-2021-0003 / CVE-2021-25900
thread_local 1.0.1: RUSTSEC-2022-0006
time 0.1.42: RUSTSEC-2020-0071 / CVE-2020-26235
yaml_rust 0.3.5: RUSTSEC-2018-0006 / CVE-2018-20993

Comment 1 Ben Cotton 2023-02-07 15:08:24 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.

Comment 2 Fedora Release Engineering 2023-08-16 07:06:37 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.

Note You need to log in before you can comment on or make changes to this bug.