From 8a8cad6ce62f2d34bb34adcd956f6920c08f94b8 Mon Sep 17 00:00:00 2001 From: Dustin Brickwood Date: Wed, 6 Dec 2023 12:35:47 -0600 Subject: [PATCH] fix: update google cloud dependencies that do not depend on rsa (#622) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## What ❔ This PR updates the dependencies of `google-cloud-storage` and `google-cloud-auth`. The changes are as follows: - From google-cloud-storage = "0.12.0" to google-cloud-storage = "0.15.0" - From google-cloud-auth = "0.11.0" to google-cloud-auth = "0.13.0" Relevant google-cloud changes: https://github.com/yoshidan/google-cloud-rust/pull/217 ## Why ❔ The primary reason for these updates is to address a security vulnerability associated with the `rsa` crate, as indicated by a recent `cargo-deny` check. The vulnerability (Marvin Attack, RUSTSEC-2023-0071) was detected in rsa v0.6.1, which is a dependency of `google-cloud-storage v0.12.0`. By updating to `google-cloud-storage v0.15.0`, we eliminate the use of the `rsa` crate, as the newer version of `google-cloud-storage` does not depend on it. Similarly, `google-cloud-auth` is updated for compatibility. Cargo deny output: ``` error[vulnerability]: Marvin Attack: potential key recovery through timing sidechannels ┌─ /Users/dustinbrickwood/Documents/dev/dut/forks/foundry-zksync/Cargo.lock:759:1 │ 759 │ rsa 0.6.1 registry+https://github.com/rust-lang/crates.io-index │ --------------------------------------------------------------- security vulnerability detected │ = ID: RUSTSEC-2023-0071 = Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0071 = ### Impact Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. ### Patches No patch is yet available, however work is underway to migrate to a fully constant-time implementation. ### Workarounds The only currently available workaround is to avoid using the `rsa` crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine. ### References This vulnerability was discovered as part of the "[Marvin Attack]", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks. [Marvin Attack]: https://people.redhat.com/~hkario/marvin/ = Announcement: https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643 = Solution: No safe upgrade is available! = rsa v0.6.1 └── google-cloud-storage v0.12.0 └── zksync_object_store v0.1.0 ├── zksync_core v0.1.0 │ └── era_test_node v0.1.0-alpha.12 │ └── era_revm v0.0.1-alpha │ ├── foundry-common v0.2.0 │ │ ├── anvil v0.2.0 │ │ │ ├── (dev) forge v0.2.0 │ │ │ └── (dev) zkforge v0.2.0 │ │ ├── cast v0.2.0 │ │ ├── chisel v0.2.0 │ │ ├── forge v0.2.0 (*) │ │ ├── foundry-cli v0.2.0 │ │ │ ├── cast v0.2.0 (*) │ │ │ ├── chisel v0.2.0 (*) │ │ │ ├── forge v0.2.0 (*) │ │ │ ├── zkcast v0.2.0 │ │ │ │ └── zkforge v0.2.0 (*) │ │ │ └── zkforge v0.2.0 (*) │ │ ├── foundry-debugger v0.2.0 │ │ │ ├── forge v0.2.0 (*) │ │ │ ├── foundry-cli v0.2.0 (*) │ │ │ └── zkforge v0.2.0 (*) │ │ ├── foundry-evm v0.2.0 │ │ │ ├── anvil v0.2.0 (*) │ │ │ ├── anvil-core v0.2.0 │ │ │ │ └── anvil v0.2.0 (*) │ │ │ ├── cast v0.2.0 (*) │ │ │ ├── chisel v0.2.0 (*) │ │ │ ├── forge v0.2.0 (*) │ │ │ ├── foundry-cli v0.2.0 (*) │ │ │ ├── foundry-debugger v0.2.0 (*) │ │ │ ├── zkcast v0.2.0 (*) │ │ │ └── zkforge v0.2.0 (*) │ │ ├── foundry-test-utils v0.2.0 │ │ │ ├── (dev) cast v0.2.0 (*) │ │ │ ├── (dev) forge v0.2.0 (*) │ │ │ ├── (dev) zkcast v0.2.0 (*) │ │ │ └── (dev) zkforge v0.2.0 (*) │ │ ├── (dev) foundry-utils v0.2.0 │ │ │ ├── anvil v0.2.0 (*) │ │ │ ├── anvil-core v0.2.0 (*) │ │ │ ├── cast v0.2.0 (*) │ │ │ ├── chisel v0.2.0 (*) │ │ │ ├── forge v0.2.0 (*) │ │ │ ├── forge-doc v0.2.0 │ │ │ │ ├── forge v0.2.0 (*) │ │ │ │ └── zkforge v0.2.0 (*) │ │ │ ├── foundry-cli v0.2.0 (*) │ │ │ ├── foundry-debugger v0.2.0 (*) │ │ │ ├── (dev) foundry-evm v0.2.0 (*) │ │ │ ├── foundry-test-utils v0.2.0 (*) │ │ │ ├── zkcast v0.2.0 (*) │ │ │ └── zkforge v0.2.0 (*) │ │ ├── zkcast v0.2.0 (*) │ │ └── zkforge v0.2.0 (*) │ └── foundry-evm v0.2.0 (*) └── zksync_prover_utils v0.1.0 ├── zksync_core v0.1.0 (*) └── zksync_verification_key_generator_and_server v0.1.0 └── zksync_core v0.1.0 (*) ``` ## Checklist - [x] PR title corresponds to the body of PR (we generate changelog entries from PRs). - [ ] Tests for the changes have been added / updated. - [ ] Documentation comments have been added / updated. - [x] Code has been formatted via `zk fmt` and `zk lint`. - [x] Spellcheck has been run via `cargo spellcheck --cfg=./spellcheck/era.cfg --code 1`. --- Cargo.lock | 161 +++++++++---------------------- core/lib/object_store/Cargo.toml | 4 +- deny.toml | 1 - 3 files changed, 47 insertions(+), 119 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3fbf3deb35e1..ec650188c8a9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1436,12 +1436,6 @@ dependencies = [ "windows-sys 0.45.0", ] -[[package]] -name = "const-oid" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e4c78c047431fee22c1a7bb92e00ad095a02a983affe4d8a72e2a2c62c1b94f3" - [[package]] name = "const-oid" version = "0.9.5" @@ -1748,16 +1742,6 @@ version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" -[[package]] -name = "crypto-bigint" -version = "0.3.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "03c6a1d5fa1de37e071642dfa44ec552ca5b299adb128fab16138e24b548fd21" -dependencies = [ - "generic-array 0.14.7", - "subtle", -] - [[package]] name = "crypto-bigint" version = "0.4.9" @@ -1948,24 +1932,13 @@ dependencies = [ "uuid", ] -[[package]] -name = "der" -version = "0.5.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6919815d73839e7ad218de758883aae3a257ba6759ce7a9992501efbb53d705c" -dependencies = [ - "const-oid 0.7.1", - "crypto-bigint 0.3.2", - "pem-rfc7468", -] - [[package]] name = "der" version = "0.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f1a467a65c5e759bce6e65eaf91cc29f466cdc57cb65777bd646872a8a1fd4de" dependencies = [ - "const-oid 0.9.5", + "const-oid", "zeroize", ] @@ -1975,7 +1948,8 @@ version = "0.7.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fffa369a668c8af7dbf8b5e56c9f744fbd399949ed171606040001947de40b1c" dependencies = [ - "const-oid 0.9.5", + "const-oid", + "pem-rfc7468", "zeroize", ] @@ -2797,9 +2771,9 @@ dependencies = [ [[package]] name = "google-cloud-auth" -version = "0.11.0" +version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "644f40175857d0b8d7b6cad6cd9594284da5041387fa2ddff30ab6d8faef65eb" +checksum = "af1087f1fbd2dd3f58c17c7574ddd99cd61cbbbc2c4dc81114b8687209b196cb" dependencies = [ "async-trait", "base64 0.21.5", @@ -2819,9 +2793,9 @@ dependencies = [ [[package]] name = "google-cloud-metadata" -version = "0.3.2" +version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "96e4ad0802d3f416f62e7ce01ac1460898ee0efc98f8b45cd4aab7611607012f" +checksum = "cc279bfb50487d7bcd900e8688406475fc750fe474a835b2ab9ade9eb1fc90e2" dependencies = [ "reqwest", "thiserror", @@ -2830,11 +2804,12 @@ dependencies = [ [[package]] name = "google-cloud-storage" -version = "0.12.0" +version = "0.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "215abab97e07d144428425509c1dad07e57ea72b84b21bcdb6a8a5f12a5c4932" +checksum = "ac04b29849ebdeb9fb008988cc1c4d1f0c9d121b4c7f1ddeb8061df124580e93" dependencies = [ "async-stream", + "async-trait", "base64 0.21.5", "bytes 1.5.0", "futures-util", @@ -2844,10 +2819,10 @@ dependencies = [ "hex", "once_cell", "percent-encoding", + "pkcs8 0.10.2", "regex", "reqwest", - "ring", - "rsa", + "ring 0.17.7", "serde", "serde_json", "sha2 0.10.8", @@ -3722,7 +3697,7 @@ checksum = "6971da4d9c3aa03c3d8f3ff0f4155b534aad021292003895a469716b2a230378" dependencies = [ "base64 0.21.5", "pem", - "ring", + "ring 0.16.20", "serde", "serde_json", "simple_asn1", @@ -3770,9 +3745,6 @@ name = "lazy_static" version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" -dependencies = [ - "spin", -] [[package]] name = "lazycell" @@ -4398,23 +4370,6 @@ dependencies = [ "serde", ] -[[package]] -name = "num-bigint-dig" -version = "0.8.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dc84195820f291c7697304f3cbdadd1cb7199c0efc917ff5eafd71225c136151" -dependencies = [ - "byteorder", - "lazy_static", - "libm", - "num-integer", - "num-iter", - "num-traits", - "rand 0.8.5", - "smallvec", - "zeroize", -] - [[package]] name = "num-complex" version = "0.3.1" @@ -4906,9 +4861,9 @@ dependencies = [ [[package]] name = "pem-rfc7468" -version = "0.3.1" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "01de5d978f34aa4b2296576379fcc416034702fd94117c56ffd8a1a767cefb30" +checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412" dependencies = [ "base64ct", ] @@ -5006,28 +4961,6 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" -[[package]] -name = "pkcs1" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a78f66c04ccc83dd4486fd46c33896f4e17b24a7a3a6400dedc48ed0ddd72320" -dependencies = [ - "der 0.5.1", - "pkcs8 0.8.0", - "zeroize", -] - -[[package]] -name = "pkcs8" -version = "0.8.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7cabda3fb821068a9a4fab19a683eac3af12edf0f34b94a8be53c4972b8149d0" -dependencies = [ - "der 0.5.1", - "spki 0.5.4", - "zeroize", -] - [[package]] name = "pkcs8" version = "0.9.0" @@ -5882,12 +5815,26 @@ dependencies = [ "cc", "libc", "once_cell", - "spin", - "untrusted", + "spin 0.5.2", + "untrusted 0.7.1", "web-sys", "winapi 0.3.9", ] +[[package]] +name = "ring" +version = "0.17.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "688c63d65483050968b2a8937f7995f443e27041a0f7700aa59b0822aedebb74" +dependencies = [ + "cc", + "getrandom 0.2.10", + "libc", + "spin 0.9.8", + "untrusted 0.9.0", + "windows-sys 0.48.0", +] + [[package]] name = "ripemd160" version = "0.9.1" @@ -5931,26 +5878,6 @@ dependencies = [ "zksync_storage", ] -[[package]] -name = "rsa" -version = "0.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4cf22754c49613d2b3b119f0e5d46e34a2c628a937e3024b8762de4e7d8c710b" -dependencies = [ - "byteorder", - "digest 0.10.7", - "num-bigint-dig", - "num-integer", - "num-iter", - "num-traits", - "pkcs1", - "pkcs8 0.8.0", - "rand_core 0.6.4", - "smallvec", - "subtle", - "zeroize", -] - [[package]] name = "rustc-demangle" version = "0.1.23" @@ -5998,7 +5925,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cd8d6c9f025a446bc4d18ad9632e69aec8f287aa84499ee335599fabd20c3fd8" dependencies = [ "log", - "ring", + "ring 0.16.20", "rustls-webpki", "sct", ] @@ -6030,8 +5957,8 @@ version = "0.101.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3c7d5dece342910d9ba34d259310cae3e0154b873b35408b787b59bce53d34fe" dependencies = [ - "ring", - "untrusted", + "ring 0.16.20", + "untrusted 0.7.1", ] [[package]] @@ -6101,8 +6028,8 @@ version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" dependencies = [ - "ring", - "untrusted", + "ring 0.16.20", + "untrusted 0.7.1", ] [[package]] @@ -6680,14 +6607,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" [[package]] -name = "spki" -version = "0.5.4" +name = "spin" +version = "0.9.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44d01ac02a6ccf3e07db148d2be087da624fea0221a16152ed01f0496a6b0a27" -dependencies = [ - "base64ct", - "der 0.5.1", -] +checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" [[package]] name = "spki" @@ -7638,6 +7561,12 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" +[[package]] +name = "untrusted" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" + [[package]] name = "ureq" version = "2.8.0" diff --git a/core/lib/object_store/Cargo.toml b/core/lib/object_store/Cargo.toml index 941674d6e502..20f52a995a8c 100644 --- a/core/lib/object_store/Cargo.toml +++ b/core/lib/object_store/Cargo.toml @@ -17,8 +17,8 @@ zksync_types = { path = "../types" } anyhow = "1.0" async-trait = "0.1" bincode = "1" -google-cloud-storage = "0.12.0" -google-cloud-auth = "0.11.0" +google-cloud-storage = "0.15.0" +google-cloud-auth = "0.13.0" http = "0.2.9" tokio = { version = "1.21.2", features = ["full"] } tracing = "0.1" diff --git a/deny.toml b/deny.toml index 7fa3c835088a..b50b165b72f5 100644 --- a/deny.toml +++ b/deny.toml @@ -8,7 +8,6 @@ yanked = "warn" notice = "warn" ignore = [ "RUSTSEC-2023-0018", - "RUSTSEC-2023-0071" ] [licenses]