From a67e6810ef24b867c52ab473bf64a6accddf0788 Mon Sep 17 00:00:00 2001 From: steviez Date: Tue, 2 Jul 2024 11:11:19 -0500 Subject: [PATCH] v1.18: Use updated branch for curve25519-dalek (#1939) * v1.18: Use updated branch for curve25519-dalek RUSTSEC-2024-0344 was announced so update to a branch that contains the commits that were created in response to the advisory. We must do this manually as the v1.18 branch is built against curve25519-dalek 3.2.1; this is not the latest major release and the maintainers have chosen not to push changes to their older release branches * ci: ignore curve25519-dalek audit temporarily (#1786) ci: ignore curve25519-dalek audit * Review feedback - more specific link to the "why" information --------- Co-authored-by: Yihau Chen --- Cargo.lock | 2 +- Cargo.toml | 25 ++++++++++++++++++++----- ci/do-audit.sh | 5 +++++ 3 files changed, 26 insertions(+), 6 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 42597823e9694e..02ccdb5080c5bf 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1715,7 +1715,7 @@ dependencies = [ [[package]] name = "curve25519-dalek" version = "3.2.1" -source = "git+https://github.com/anza-xyz/curve25519-dalek.git?rev=b500cdc2a920cd5bff9e2dd974d7b97349d61464#b500cdc2a920cd5bff9e2dd974d7b97349d61464" +source = "git+https://github.com/anza-xyz/curve25519-dalek.git?rev=0382b672560493840f453f2a0e24c4a129abd3a4#0382b672560493840f453f2a0e24c4a129abd3a4" dependencies = [ "byteorder", "digest 0.9.0", diff --git a/Cargo.toml b/Cargo.toml index b5c6955a5c903d..0750fb1905b2f8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -511,6 +511,13 @@ solana-zk-token-sdk = { path = "zk-token-sdk" } git = "https://github.com/RustCrypto/AEADs" rev = "6105d7a5591aefa646a95d12b5e8d3f55a9214ef" +# We maintain a fork of `curve25519-dalek`. Within the forked repository, +# the `3.2.1-fix-audit` branch contains patches for two issues: +# 1. `zeroize` dependency +# 2. RUSTSEC-2024-0344 +# +# 1. `zeroize` dependency +# # Our dependency tree has `curve25519-dalek` v3.2.1. They have removed the # constraint in the next major release. The commit that removes the `zeroize` # constraint was added to multiple release branches, but not to the 3.2 branch. @@ -532,17 +539,25 @@ rev = "6105d7a5591aefa646a95d12b5e8d3f55a9214ef" # # https://github.com/dalek-cryptography/curve25519-dalek/commit/29e5c29b0e5c6821e4586af58b0d0891dd2ec639 # -# Comparison with `b500cdc2a920cd5bff9e2dd974d7b97349d61464`: +# Comparison with `a4885c8391490389897ff88227b4e86874f33acc`: +# +# https://github.com/dalek-cryptography/curve25519-dalek/compare/3.2.1...anza-xyz:curve25519-dalek:a4885c8391490389897ff88227b4e86874f33acc +# +# 2. RUSTSEC-2024-0344 +# +# The following security advisory was released for `curve25519-dalek`: # -# https://github.com/dalek-cryptography/curve25519-dalek/compare/3.2.1...solana-labs:curve25519-dalek:b500cdc2a920cd5bff9e2dd974d7b97349d61464 +# https://rustsec.org/advisories/RUSTSEC-2024-0344.html # -# Or, using the branch name instead of the hash: +# New releases were not made on the older release branches, so we have +# cherry-picked these commits into our branch as well. # -# https://github.com/dalek-cryptography/curve25519-dalek/compare/3.2.1...solana-labs:curve25519-dalek:3.2.1-unpin-zeroize +# https://github.com/dalek-cryptography/curve25519-dalek/commit/415892acf1cdf9161bd6a4c99bc2f4cb8fae5e6a +# https://github.com/dalek-cryptography/curve25519-dalek/commit/b4f9e4df92a4689fb59e312a21f940ba06ba7013 # [patch.crates-io.curve25519-dalek] git = "https://github.com/anza-xyz/curve25519-dalek.git" -rev = "b500cdc2a920cd5bff9e2dd974d7b97349d61464" +rev = "0382b672560493840f453f2a0e24c4a129abd3a4" # Solana RPC nodes experience stalls when running with `tokio` containing this # commit: diff --git a/ci/do-audit.sh b/ci/do-audit.sh index 0118c84c5f0fec..e2ee219973f41b 100755 --- a/ci/do-audit.sh +++ b/ci/do-audit.sh @@ -33,6 +33,11 @@ cargo_audit_ignores=( # mio --ignore RUSTSEC-2024-0019 + + # curve25519-dalek + # Patches to address the advisory have been pulled into a fork of the repo. + # See `[patch.crates-io.curve25519-dalek]` in Cargo.toml for more information + --ignore RUSTSEC-2024-0344 ) scripts/cargo-for-all-lock-files.sh audit "${cargo_audit_ignores[@]}" | $dep_tree_filter # we want the `cargo audit` exit code, not `$dep_tree_filter`'s