gnosis/lighthouse
1
0
Fork 0
mirror of https://github.com/sigp/lighthouse.git synced 2026-05-07 16:55:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update zeroize_derive (#2625)

Browse Source 
## Issue Addressed

NA

## Proposed Changes

As `cargo audit` astutely pointed out, the version of `zeroize_derive` were were using had a vulnerability:

```
Crate:         zeroize_derive
Version:       1.1.0
Title:         `#[zeroize(drop)]` doesn't implement `Drop` for `enum`s
Date:          2021-09-24
ID:            RUSTSEC-2021-0115
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0115
Solution:      Upgrade to >=1.2.0
```

This PR updates `zeroize` and `zeroize_derive` to appease `cargo audit`.

`tiny-bip39` was also updated to allow compile.

## Additional Info

I don't believe this vulnerability actually affected the Lighthouse code-base directly. However, `tiny-bip39` may have been affected which may have resulted in some uncleaned memory in Lighthouse. Whilst this is not ideal, it's not a major issue. Zeroization is a nice-to-have since it only protects from sophisticated attacks or attackers that already have a high level of access already.
This commit is contained in:
Paul Hauner
2021-09-25 05:58:37 +00:00
parent fe52322088
commit 924a1345b1
7 changed files with 16 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
crypto/bls/Cargo.toml
View File

@@ -16,7 +16,7 @@ hex = "0.4.2"
eth2_hashing = "0.2.0"
ethereum-types = "0.11.0"
arbitrary = { version = "0.4.6", features = ["derive"], optional = true }
zeroize = { version = "1.1.1", features = ["zeroize_derive"] }
zeroize = { version = "1.4.2", features = ["zeroize_derive"] }
blst = "0.3.3"
[features]

2
crypto/eth2_key_derivation/Cargo.toml
View File

@@ -8,7 +8,7 @@ edition = "2018"
[dependencies]
sha2 = "0.9.1"
zeroize = { version = "1.1.1", features = ["zeroize_derive"] }
zeroize = { version = "1.4.2", features = ["zeroize_derive"] }
num-bigint-dig = { version = "0.6.0", features = ["zeroize"] }
ring = "0.16.19"
bls = { path = "../bls" }

2
crypto/eth2_keystore/Cargo.toml
View File

@@ -13,7 +13,7 @@ pbkdf2 = { version = "0.8.0", default-features = false }
scrypt = { version = "0.7.0", default-features = false }
sha2 = "0.9.1"
uuid = { version = "0.8.1", features = ["serde", "v4"] }
zeroize = { version = "1.1.1", features = ["zeroize_derive"] }
zeroize = { version = "1.4.2", features = ["zeroize_derive"] }
serde = "1.0.116"
serde_repr = "0.1.6"
hex = "0.4.2"

2
crypto/eth2_wallet/Cargo.toml
View File

@@ -14,7 +14,7 @@ uuid = { version = "0.8.1", features = ["serde", "v4"] }
rand = "0.7.3"
eth2_keystore = { path = "../eth2_keystore" }
eth2_key_derivation = { path = "../eth2_key_derivation" }
tiny-bip39 = "0.8.0"
tiny-bip39 = "0.8.1"
[dev-dependencies]
hex = "0.4.2"