Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security advisory: please release with upgraded xcb dependencies #90

Open
getreu opened this issue Jun 13, 2022 · 0 comments
Open

Security advisory: please release with upgraded xcb dependencies #90

getreu opened this issue Jun 13, 2022 · 0 comments

Comments

@getreu
Copy link

getreu commented Jun 13, 2022

Solution: Upgrade xcb to >=1.0

See dependency tree below:

Crate:     xcb
Version:   0.8.2
Title:     Multiple soundness issues
Date:      2021-02-04
ID:        RUSTSEC-2021-0019
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0019
Solution:  Upgrade to >=1.0
Dependency tree:
xcb 0.8.2
└── x11-clipboard 0.3.3
    └── clipboard 0.5.0
        └── tp-note 1.17.0
benjaminedwardwebb added a commit to benjaminedwardwebb/dmenu-rs that referenced this issue Oct 22, 2022
@benjaminedwardwebb
use xliiv:upgrade-x11 branch of rust-clipboard
3382729 
The rust-clipboard project's maintenance status is [unclear][1].

It pulls in an old version of [ruxt-xcb][2]. This old version has a
[security issue][3]. It also has a complex build that caused failures I
could not debug when building dmenu-rs with nix.

There is an [open PR][4] to rust-clipboard that updates the X11 and XCB
dependencies with a minimal changeset, resolving this issue.

This commit updates dmenu-rs's rust-clipboard dependency to point to the
fix in the open PR, located on the upgrade-x11 branch of xliiv's fork.

You can find similar discussion in an unrelated project [here][5].

[1]: aweinstock314/rust-clipboard#91
[2]: https://github.com/rust-x-bindings/rust-xcb/tree/v0.8.2
[3]: aweinstock314/rust-clipboard#90
[4]: aweinstock314/rust-clipboard#89
[5]: iceiix/stevenarella#701
benjaminedwardwebb added a commit to benjaminedwardwebb/dmenu-rs that referenced this issue Nov 12, 2022
@benjaminedwardwebb
use xliiv:upgrade-x11 branch of rust-clipboard
ca303c5 
The rust-clipboard project's maintenance status is [unclear][1].

It pulls in an old version of [ruxt-xcb][2]. This old version has a
[security issue][3]. It also has a complex build that caused failures I
could not debug when building dmenu-rs with nix.

There is an [open PR][4] to rust-clipboard that updates the X11 and XCB
dependencies with a minimal changeset, resolving this issue.

This commit updates dmenu-rs's rust-clipboard dependency to point to the
fix in the open PR, located on the upgrade-x11 branch of xliiv's fork.

You can find similar discussion in an unrelated project [here][5].

[1]: aweinstock314/rust-clipboard#91
[2]: https://github.com/rust-x-bindings/rust-xcb/tree/v0.8.2
[3]: aweinstock314/rust-clipboard#90
[4]: aweinstock314/rust-clipboard#89
[5]: iceiix/stevenarella#701
benjaminedwardwebb added a commit to benjaminedwardwebb/dmenu-rs that referenced this issue Nov 12, 2022
@benjaminedwardwebb
use xliiv:upgrade-x11 branch of rust-clipboard
6bfa7ab 
The rust-clipboard project's maintenance status is [unclear][1].

It pulls in an old version of [ruxt-xcb][2]. This old version has a
[security issue][3]. It also has a complex build that caused failures I
could not debug when building dmenu-rs with nix.

There is an [open PR][4] to rust-clipboard that updates the X11 and XCB
dependencies with a minimal changeset, resolving this issue.

This commit updates dmenu-rs's rust-clipboard dependency to point to the
fix in the open PR, located on the upgrade-x11 branch of xliiv's fork.

You can find similar discussion in an unrelated project [here][5].

[1]: aweinstock314/rust-clipboard#91
[2]: https://github.com/rust-x-bindings/rust-xcb/tree/v0.8.2
[3]: aweinstock314/rust-clipboard#90
[4]: aweinstock314/rust-clipboard#89
[5]: iceiix/stevenarella#701
tv42 added a commit to tv42/lapce that referenced this issue Nov 19, 2023
@tv42
Switch from crate clipboard to arboard
e1003d3 
This avoids a dependency via x11-clipboard to an old version of xcb,
v0.3. Problems and annoyances with xcb v0.3 include

- safety: aweinstock314/rust-clipboard#90
- build script depends on python
- won't build in a sandbox, as it writes to the source directory

See also aweinstock314/rust-clipboard#91
@tv42 tv42 mentioned this issue Nov 19, 2023
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@getreu