Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(keychain-memory-wasm): wee_alloc is Unmaintained GHSA-rc23-xxgq-x27g #2352

Closed
petermetz opened this issue Mar 28, 2023 · 0 comments · Fixed by #2388
Closed

fix(keychain-memory-wasm): wee_alloc is Unmaintained GHSA-rc23-xxgq-x27g #2352

petermetz opened this issue Mar 28, 2023 · 0 comments · Fixed by #2388
Assignees
@petermetz
Labels
bug Something isn't working dependencies Pull requests that update a dependency file Keychain Tasks/bugs related to the Keychain plugin core interfaces or any of the implementations themselves. P1 Priority 1: Highest rust Pull requests that update Rust code Security Related to existing or potential security vulnerabilities

Comments

@petermetz
Copy link
Contributor

In short, we need to migrate away from wee_alloc as per the GitHub security advisory: GHSA-rc23-xxgq-x27g

wee_alloc (Rust) · packages/cactus-plugin-keychain-memory-wasm/src/main/rust/cactus-plugin-keychain-memory-wasm/Cargo.toml

Two of the maintainers have indicated that the crate may not be maintained.
The crate has open issues including memory leaks and may not be suitable for production use.
It may be best to switch to the default Rust standard allocator on wasm32 targets.
Last release seems to have been three years ago.

https://github.com/hyperledger/cacti/security/dependabot/241
@petermetz petermetz added bug Something isn't working dependencies Pull requests that update a dependency file Security Related to existing or potential security vulnerabilities Keychain Tasks/bugs related to the Keychain plugin core interfaces or any of the implementations themselves. P1 Priority 1: Highest rust Pull requests that update Rust code labels Mar 28, 2023
@petermetz petermetz self-assigned this Mar 28, 2023
petermetz added a commit to petermetz/cacti that referenced this issue Apr 12, 2023
@petermetz
fix(keychain-memory-wasm): wee_alloc is Unmaintained GHSA-rc23-xxgq-x27g
6a1763d 


Removed wee_alloc from being used entirely.
The default Rust allocator will be used instead
which is better maintained and poses less
of a security threat.

Fixes hyperledger-cacti#2352

Signed-off-by: Peter Somogyvari <[email protected]>
@petermetz petermetz mentioned this issue Apr 12, 2023
Merged
micoferdinand98 pushed a commit to micoferdinand98/cactus that referenced this issue Apr 18, 2023
@petermetz @micoferdinand98
fix(keychain-memory-wasm): wee_alloc is Unmaintained GHSA-rc23-xxgq-x27g
991e57a 


Removed wee_alloc from being used entirely.
The default Rust allocator will be used instead
which is better maintained and poses less
of a security threat.

Fixes hyperledger-cacti#2352

Signed-off-by: Peter Somogyvari <[email protected]>
micoferdinand98 pushed a commit to micoferdinand98/cactus that referenced this issue Apr 19, 2023
@petermetz @micoferdinand98
fix(keychain-memory-wasm): wee_alloc is Unmaintained GHSA-rc23-xxgq-x27g
fb5c49a 


Removed wee_alloc from being used entirely.
The default Rust allocator will be used instead
which is better maintained and poses less
of a security threat.

Fixes hyperledger-cacti#2352

Signed-off-by: Peter Somogyvari <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petermetz petermetz

Labels
bug Something isn't working dependencies Pull requests that update a dependency file Keychain Tasks/bugs related to the Keychain plugin core interfaces or any of the implementations themselves. P1 Priority 1: Highest rust Pull requests that update Rust code Security Related to existing or potential security vulnerabilities
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(keychain-memory-wasm): wee_alloc is Unmaintained GHSA-rc23-xxgq-x27g petermetz/cacti
1 participant
@petermetz