Got "security vulnerability detected" in ci with 0.5.0 branch

[teawater]

#301

info: the active toolchain `1.77.0-x86_64-unknown-linux-musl` has been installed
info: it's active because: overridden by '/github/workspace/rust-toolchain.toml'
error[vulnerability]: Crash due to uncontrolled recursion in protobuf crate
   ┌─ /github/workspace/Cargo.lock:[34](https://github.com/containerd/ttrpc-rust/actions/runs/15840230092/job/44651405097?pr=301#step:4:35):1
   │
34 │ protobuf 2.28.0 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2024-04[37](https://github.com/containerd/ttrpc-rust/actions/runs/15840230092/job/44651405097?pr=301#step:4:38)
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0437
   ├ Affected version of this crate did not properly parse unknown fields when parsing a user-supplied input.
     
     This allows an attacker to cause a stack overflow when parsing the mssage on untrusted data.
   ├ Announcement: https://github.com/stepancheg/rust-protobuf/issues/749
   ├ Solution: Upgrade to >=3.7.2 (try `cargo update -p protobuf`)
   ├ protobuf v2.28.0
     ├── protobuf-codegen v2.28.0
     │   └── protobuf-codegen-pure v2.28.0
     │       └── (build) ttrpc v0.5.9
     ├── protobuf-codegen-pure v2.28.0 (*)
     └── ttrpc v0.5.9 (*)

advisories FAILED

[teawater]

It's hard to update protobuf in ttrpc 0.5.

Maybe we should update the documentation with a note reminding users to avoid using the ttrpc 0.5 version whenever possible due to security concerns.

[stevenhorsman]

Hi @teawater - I'm trying to resolve this vulnerability in kata-containers as well and we are inheriting this from ttrpc

ID:        RUSTSEC-2024-0437
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0437
Solution:  Upgrade to >=3.7.2
Dependency tree:
protobuf 2.28.0
├── ttrpc-compiler 0.7.0
│   └── ttrpc-codegen 0.5.0
│       └── protocols 0.1.0
│           ├── rustjail 0.1.0
│           │   └── kata-agent 0.1.0
│           └── kata-agent 0.1.0
├── ttrpc-codegen 0.5.0
├── protobuf-codegen 2.28.0
│   └── ttrpc-compiler 0.7.0
└── prometheus 0.13.4
    └── kata-agent 0.1.0

Can you explain a bit more of:

Maybe we should update the documentation with a note reminding users to avoid using the v5 version whenever possible due to security concerns.

and how we should approach this as looking on crates.io, it looks like 0.5.0 is the latest version? Thanks!

[teawater]

Hi @teawater - I'm trying to resolve this vulnerability in kata-containers as well and we are inheriting this from ttrpc

ID:        RUSTSEC-2024-0437
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0437
Solution:  Upgrade to >=3.7.2
Dependency tree:
protobuf 2.28.0
├── ttrpc-compiler 0.7.0
│   └── ttrpc-codegen 0.5.0
│       └── protocols 0.1.0
│           ├── rustjail 0.1.0
│           │   └── kata-agent 0.1.0
│           └── kata-agent 0.1.0
├── ttrpc-codegen 0.5.0
├── protobuf-codegen 2.28.0
│   └── ttrpc-compiler 0.7.0
└── prometheus 0.13.4
    └── kata-agent 0.1.0

Can you explain a bit more of:

Maybe we should update the documentation with a note reminding users to avoid using the v5 version whenever possible due to security concerns.

and how we should approach this as looking on crates.io, it looks like 0.5.0 is the latest version? Thanks!

Hi Steven,

The "V5" I mentioned earlier refers to ttrpc 0.5 but not ttrpc-codegen 0.5 .

I think ttrpc-codegen 0.5 is not affected by the security issue because it use protobuf-codegen 3.7.2.

And I updated the earlier comment to make it clear.

Best,
Hui

[stevenhorsman]

I think ttrpc-codegen 0.5 is not affected by the security issue because it use protobuf-codegen 3.7.2.

Thanks for the reply - I'm still a bit confused as - as I showed above - ttrpc-codegen 0.5 has a dependency on ttrpc-compiler 0.7.0 which uses protobuf 2.28.0, so is still impacted by this?

[teawater]

@Tim-Zhang Could you help me answer the queston of Steven?

[Tim-Zhang]

@stevenhorsman I think the root cause is ttrpc-compiler needs a new release to include this pr #291, will do it in recent days. thanks @stevenhorsman and @teawater

[stevenhorsman]

@stevenhorsman I think the root cause is ttrpc-compiler needs a new release to include this pr #291, will do it in recent days. thanks @stevenhorsman and @teawater

Great - thank you. I will keep an eye on this and try and bump kata to remove this vuln when it's available!