Add advisory for unsound problem in wasmtime_jit_debug
#1999
Conversation
|
It looks like it's been patched in v27 bytecodealliance/wasmtime@b5e31a5 can you mark it as patched in the advisory? |
Done. Thanks for your correction. |
|
pr is stil not merged. can a maintainer pleser merger it? |
|
@alexcrichton any feedback on this one? |
|
Personally, if acceptable, I'd prefer not to merge this. I think this was good to flag on our issue tracker and fix, but it's an internal crate to the project which we've documented users should not use. We have a number of Now how exactly that falls under the advisory db here I'm not sure. We would ideally lint/etc that users shouldn't directly depend on these internal crates (and we could probably do a better job of messaging in Wasmtime as well), but doing so through advisories feels like something we should figure out in Wasmtime better rather than here. Is it reasonable to ask this not be merged? If it's still desired to be merged I'd ask that we on Wasmtime have a moment to sort out how exactly to best discourage users from using internal crates before this is merged. Also, as a side note, this advisory says |
Given the purpose of internal-only usage, we can definitely delay merging this so you can figure out messaging/mitigation. In my mind, if the crate is published to crates.io as a library that someone could potentially use, then issues with public, safe API should be fair game for advisories... Maybe it could make sense to guard the contents of the crate with an |
|
I think I agree with that. |
|
Sounds reasonable! I've got an agenda item for our upcoming meeting next Thursday. I'll post here with a response after that |
This commit is an attempt to more clearly flag internal crates in this project as internal and not intended for external use. Specifically: * Many crates are renamed from `wasmtime-foo` to `wasmtime-internal-foo`. * All of these crates now have `INTERNAL: ...` in their crates.io description. * All of these crates now have a warning at the top of their documentation discouraging use. This change is a result of rustsec/advisory-db#1999 where the goal is to be crystal clear from a project perspective that usage of these crates are highly discouraged and not supported. We'll still probably get such advisories but we won't be considering them CVEs from the project itself due to the internal nature of these crates and the discouraging warnings. Some concrete changes used here are: * Inter-crate dependencies still use `wasmtime_foo` for naming and do so with Cargo's package-renaming features. * Crate renames are specified at the workspace level so the rename is only in one locations and all other inherit it. * Contribution documentation now has some brief guidelines about crate organization.
|
Ok we discussed this yesterday and the discussion culminated in bytecodealliance/wasmtime#10963. We don't plan on retroactively applying this change to older branches but it should at least hopefully mitigate things going forward. In the meantime this seems reasonable to merge to me, I don't expect the fallout to be that large. |
* More clearly flag internal crates as such This commit is an attempt to more clearly flag internal crates in this project as internal and not intended for external use. Specifically: * Many crates are renamed from `wasmtime-foo` to `wasmtime-internal-foo`. * All of these crates now have `INTERNAL: ...` in their crates.io description. * All of these crates now have a warning at the top of their documentation discouraging use. This change is a result of rustsec/advisory-db#1999 where the goal is to be crystal clear from a project perspective that usage of these crates are highly discouraged and not supported. We'll still probably get such advisories but we won't be considering them CVEs from the project itself due to the internal nature of these crates and the discouraging warnings. Some concrete changes used here are: * Inter-crate dependencies still use `wasmtime_foo` for naming and do so with Cargo's package-renaming features. * Crate renames are specified at the workspace level so the rename is only in one locations and all other inherit it. * Contribution documentation now has some brief guidelines about crate organization. * Update vet config * Update checks for wasmtime-fiber prtest:full * Update publish script * Another fiber rename * Fix some doc tests
* More clearly flag internal crates as such This commit is an attempt to more clearly flag internal crates in this project as internal and not intended for external use. Specifically: * Many crates are renamed from `wasmtime-foo` to `wasmtime-internal-foo`. * All of these crates now have `INTERNAL: ...` in their crates.io description. * All of these crates now have a warning at the top of their documentation discouraging use. This change is a result of rustsec/advisory-db#1999 where the goal is to be crystal clear from a project perspective that usage of these crates are highly discouraged and not supported. We'll still probably get such advisories but we won't be considering them CVEs from the project itself due to the internal nature of these crates and the discouraging warnings. Some concrete changes used here are: * Inter-crate dependencies still use `wasmtime_foo` for naming and do so with Cargo's package-renaming features. * Crate renames are specified at the workspace level so the rename is only in one locations and all other inherit it. * Contribution documentation now has some brief guidelines about crate organization. * Update vet config * Update checks for wasmtime-fiber prtest:full * Update publish script * Another fiber rename * Fix some doc tests
|
@alexcrichton any feedback on the advisory contents? Should we add a note about this being an internal crate? |
|
Yeah that would probably be best, something along the lines of:
|
|
@safe4u can you add this note to the advisory? |
|
Thank you all for your attention to this minor problem : ) |
A soundness bug in
wasmtime_jit_debugthat wrongly marks the functiondump_code_load_recordas 'safe'.The issue report: bytecodealliance/wasmtime#8905