From 10d7fa4f9456b819658499e4f5b0da26a2c40096 Mon Sep 17 00:00:00 2001 From: pinkforest <36498018+pinkforest@users.noreply.github.com> Date: Sun, 14 Aug 2022 18:12:59 +1000 Subject: [PATCH 1/3] Remove RUSTSEC-2018-0022 tempfile recommendation Signed-off-by: pinkforest <36498018+pinkforest@users.noreply.github.com> --- crates/temporary/RUSTSEC-2018-0022.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/crates/temporary/RUSTSEC-2018-0022.md b/crates/temporary/RUSTSEC-2018-0022.md index 8745fa65b3..4f5dc4a4f6 100644 --- a/crates/temporary/RUSTSEC-2018-0022.md +++ b/crates/temporary/RUSTSEC-2018-0022.md @@ -28,5 +28,3 @@ fn random_seed(_: &Path, _: &str) -> [u64; 2] { This has been resolved in the 0.6.4 release. The crate is not intended to be used outside of a testing environment. - -For a general purpose crate to create temporary directories, [`tempfile`](https://crates.io/crates/tempfile) is an alternative for this crate. From 79ab847b8e93ed5cad55324974c192174ab912d5 Mon Sep 17 00:00:00 2001 From: pinkforest <36498018+pinkforest@users.noreply.github.com> Date: Sun, 14 Aug 2022 18:23:46 +1000 Subject: [PATCH 2/3] Add tempfile Signed-off-by: pinkforest <36498018+pinkforest@users.noreply.github.com> --- crates/tempfile/RUSTSEC-0000-0000.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 crates/tempfile/RUSTSEC-0000-0000.md diff --git a/crates/tempfile/RUSTSEC-0000-0000.md b/crates/tempfile/RUSTSEC-0000-0000.md new file mode 100644 index 0000000000..b41cc9dfb9 --- /dev/null +++ b/crates/tempfile/RUSTSEC-0000-0000.md @@ -0,0 +1,17 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "tempfile" +date = "2022-05-01" +url = "https://github.com/Stebalien/tempfile/issues/178" +references = ["https://github.com/Stebalien/tempfile/pull/141", "https://github.com/Stebalien/tempfile/pull/162", "https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File"] +keywords = ["tempfile"] +[versions] +patched = [] +``` + +# tempfile uses predictable RNG + +tempfile makes security guarantees that are not met by using predictable random number generator. + +The vectors may or may not vary by the platform and the use of the library. \ No newline at end of file From fcdbc77177c284c2b02bb44fc9cb450214cc96f2 Mon Sep 17 00:00:00 2001 From: pinkforest <36498018+pinkforest@users.noreply.github.com> Date: Sun, 14 Aug 2022 18:37:09 +1000 Subject: [PATCH 3/3] Remove tempfile ref from tempdir Signed-off-by: pinkforest <36498018+pinkforest@users.noreply.github.com> --- crates/tempdir/RUSTSEC-2018-0017.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/crates/tempdir/RUSTSEC-2018-0017.md b/crates/tempdir/RUSTSEC-2018-0017.md index 473030e2ce..444d89458a 100644 --- a/crates/tempdir/RUSTSEC-2018-0017.md +++ b/crates/tempdir/RUSTSEC-2018-0017.md @@ -13,5 +13,4 @@ unaffected = [] # `tempdir` crate has been deprecated; use `tempfile` instead -The [`tempdir`](https://crates.io/crates/tempdir) crate has been deprecated -and the functionality is merged into [`tempfile`](https://crates.io/crates/tempfile). +The [`tempdir`](https://crates.io/crates/tempdir) crate has been deprecated.