jeremycline / btfm Goto Github PK

crate has been renamed to crypto_secretbox

This crate has been forked/renamed from xsalsa20poly1305 to crypto_secretbox.

The new repository location is at:

<https://github.com/RustCrypto/nacl-compat/tree/master/crypto_secretbox>

See advisory page for additional details.

Generators can cause data races if non-Send types are used in their generator functions

The Generator type is an iterable which uses a generator function that yields
values. In affected versions of the crate, the provided function yielding values
had no Send bounds despite the Generator itself implementing Send.

The generator function lacking a Send bound means that types that are
dangerous to send across threads such as Rc could be sent as part of a
generator, potentially leading to data races.

This flaw was fixed in commit f7d120a3b
by enforcing that the generator function be bound by Send.

See advisory page for additional details.

webpki: CPU denial of service in certificate path building

When this crate is given a pathological certificate chain to validate, it will
spend CPU time exponential with the number of candidate certificates at each
step of path building.

Both TLS clients and TLS servers that accept client certificate are affected.

This was previously reported in
<briansmith/webpki#69> and re-reported recently
by Luke Malinowski.

rustls-webpki is a fork of this crate which contains a fix for this issue
and is actively maintained.

See advisory page for additional details.

ansi_term is Unmaintained

The maintainer has adviced this crate is deprecated and will not
receive any maintenance.

The crate does not seem to have much dependencies and may or may not be ok to use as-is.

Last release seems to have been three years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

• anstyle
• nu-ansi-term
• yansi

See advisory page for additional details.

Tungstenite allows remote attackers to cause a denial of service

The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause
a denial of service (minutes of CPU consumption) via an excessive length of an
HTTP header in a client handshake. The length affects both how many times a parse
is attempted (e.g., thousands of times) and the average amount of data for each
parse attempt (e.g., millions of bytes).

See advisory page for additional details.

steps to reproduce:

1. stream video
2. bot doesn't listen, ever

Marvin Attack: potential key recovery through timing sidechannels

Impact

Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

Patches

No patch is yet available, however work is underway to migrate to a fully constant-time implementation.

Workarounds

The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.

References

This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.

See advisory page for additional details.

Deepgram has a free API tier with https://try.deepgram.com/ and has 20 hours per month. It'd be entertaining to use that and fall back to deepspeech when the key runs out.

There are a lot of clips, but many just don't get played, because reasons. At some interval, say every few minutes, the bot should find a random clip with a low play count and play it for lulz.

right now it plays the join sound inside the function dealing with whether or not to join. Factor it out and add more event hooks (goodbye clips, etc).

For each phrase that is available, perform a lookup against a thesaurus, which will therefore greatly expand the pool of phrases, and could make the bot more funny, or just crazy, like https://www.reddit.com/r/ThesaurizeThis/

cpuid-bool has been renamed to cpufeatures

Please use the `cpufeatures`` crate going forward:

<https://github.com/RustCrypto/utils/tree/master/cpufeatures>

There will be no further releases of cpuid-bool.

See advisory page for additional details.

A single clip could be triggered by multiple configured phrases. A single phrase could randomly trigger a clip from an existing list of configured clips.

Buffer overflow due to integer overflow in transpose

Given the function transpose::transpose:

fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)

The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len().
As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode.

Exploiting this issue requires the caller to pass input_width and input_height arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.

See advisory page for additional details.

Create a batch job that runs at some interval to analyze existing clips, generate text from those clips, and add that text as associated keyword/phrases to the database.

libsqlite3-sys via C SQLite CVE-2022-35737

It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an array-bounds overflow when large string were input into SQLite's printf function.

As libsqlite3-sys bundles SQLite, it is susceptible to the vulnerability. libsqlite3-sys was updated to bundle the patched version of SQLite here.

See advisory page for additional details.

Chance could also be increased for when a user leaves and re-joins the channel in a small window of time.

term is looking for a new maintainer

The author of the term crate does not have time to maintain it and is looking
for a new maintainer.

Some maintained alternatives you can potentially switch to instead, depending
on your needs:

• crossterm
• termcolor
• yansi

See advisory page for additional details.

dirs is unmaintained, use dirs-next instead

The dirs crate is not maintained any more;
use dirs-next instead.

See advisory page for additional details.

Potential segfault in localtime_r invocations

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

• time-rs/time#293

See advisory page for additional details.

Potential segfault in the time crate

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

The affected functions from time 0.2.7 through 0.2.22 are:

• time::UtcOffset::local_offset_at
• time::UtcOffset::try_local_offset_at
• time::UtcOffset::current_local_offset
• time::UtcOffset::try_current_local_offset
• time::OffsetDateTime::now_local
• time::OffsetDateTime::try_now_local

The affected functions in time 0.1 (all versions) are:

• at
• at_utc

Non-Unix targets (including Windows and wasm) are unaffected.

Patches

Pending a proper fix, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods.

Users and library authors with time in their dependency tree should perform cargo update, which will pull in the updated, unaffected code.

Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3. series.

Workarounds

No workarounds are known.

References

time-rs/time#293

See advisory page for additional details.