Skip to content

fix(deps): mitigate lz4_flex RUSTSEC-2026-0041 and add cargo-audit CI#139

Merged
jBernavaPrah merged 1 commit into
mainfrom
fix/rustsec-2026-0041-lz4-flex
Jul 2, 2026
Merged

fix(deps): mitigate lz4_flex RUSTSEC-2026-0041 and add cargo-audit CI#139
jBernavaPrah merged 1 commit into
mainfrom
fix/rustsec-2026-0041-lz4-flex

Conversation

@jBernavaPrah

Copy link
Copy Markdown
Contributor

Summary

Mitigates the high-severity Dependabot alert #1 - lz4_flex 0.10.0, RUSTSEC-2026-0041 / CVE-2026-32829 / GHSA-vvp9-7p8x-rfvv: decompressing invalid LZ4 block data can leak uninitialized memory or reused-buffer contents.
It also adds the cargo audit CI job so future RUSTSEC advisories are caught without waiting for a Dependabot match, and fixes a second high-severity advisory (quinn-proto) that the first audit run surfaced.

Why the lockfile cannot simply be bumped

  • lz4_flex is pulled in solely by zenoh-transport 1.9.0 (via zenoh), which pins lz4_flex ^0.10.0.
  • The fix only exists in lz4_flex >= 0.11.6 / >= 0.12.1; every 0.11.x below 0.11.6 is yanked and there is no patched 0.10.x backport, so no semver-compatible update exists.
  • Upstream zenoh has not shipped the bump yet: eclipse-zenoh/zenoh#2499 (bump to 0.11.6) is still open, and eclipse-zenoh/zenoh#2589 tracks the same cargo-audit report.
  • zenoh-transport 1.9.0 is the latest release, so there is no newer zenoh to move to either.

Reachability

  • The vulnerable functions are lz4_flex::block::decompress_into and friends. zenoh-transport calls exactly lz4_flex::block::decompress_into with a pooled (reused) output buffer in RBatch::initialize (io/zenoh-transport/src/common/batch.rs), i.e. the reused-buffer leak scenario from the advisory.
  • That call site is compiled only under zenoh's transport_compression feature, which was enabled in every shipped binary (services, drivers) via zenoh's default features.
  • At runtime it was not reachable in phoxal deployments: the decompress branch runs only when the local batch config enables compression, and phoxal-bus's zenoh_config() (phoxal-bus/src/session.rs) never enables it and exposes no way for users to.
  • So this was compiled-in but dormant. Still worth removing: a future config passthrough or zenoh default change would silently arm it.

Changes

  1. Workspace zenoh dependency: default features minus transport_compression.
    The affected code path is no longer compiled into any shipped binary. No behavior change - phoxal never negotiates compression. Cargo.lock is intentionally untouched by this part: lz4_flex is a non-optional dependency of zenoh-transport, so the crate stays in the graph (and the Dependabot alert stays open) until zenoh ships the bump; its code is simply unreachable and unlinked.
  2. cargo update -p quinn-proto 0.11.14 -> 0.11.15, fixing RUSTSEC-2026-0185 (high, remote memory exhaustion in QUIC stream reassembly - reachable, since zenoh's QUIC transport is compiled in). Surfaced by the first local cargo audit run; in-semver patch.
  3. New security-audit workflow (.github/workflows/security-audit.yml): cargo audit on PRs/pushes touching manifests, plus a daily schedule - advisories land independently of commits, so the schedule is the trigger that matters.
  4. .cargo/audit.toml with per-entry justification and removal condition for advisories that have no upstream fix today:
    • RUSTSEC-2026-0041 (lz4_flex, this alert) - mitigated as above; remove when zenoh releases with lz4_flex >= 0.11.6.
    • RUSTSEC-2026-0194 / RUSTSEC-2026-0195 (quick-xml 0.36 via urdf-rs 0.9.0, DoS class) - urdf-rs 0.9.0 is the latest release and pins ^0.36; phoxal parses URDF only from local, operator-installed component definitions, never network input. Remove when urdf-rs releases with quick-xml >= 0.41 (openrr/urdf-rs#134).
    • RUSTSEC-2023-0071 (rsa Marvin timing side channel via zenoh auth_pubkey) - no fixed rsa release exists anywhere; phoxal never configures zenoh public-key auth at runtime.

Verification

  • cargo tree -p zenoh-transport -f '{f}' confirms transport_compression is gone from the resolved feature set.
  • cargo audit passes locally with the ignore file (4 remaining items are warnings - unmaintained/unsound/yanked - which do not fail the job).
  • cargo test passes across the workspace.

Follow-ups

  • When zenoh releases with lz4_flex >= 0.11.6: bump zenoh, restore default features (or keep the trimmed list), drop the RUSTSEC-2026-0041 ignore. The Dependabot alert auto-resolves at that point.
  • When urdf-rs releases with quick-xml >= 0.41: bump urdf-rs, drop the two quick-xml ignores.
  • The framework-rewrite plan (tmp/framework-rewrite/workspace-and-ci.md in phoxal/organization) does not currently document the cargo-audit job - worth adding it to the plan so the rebuild-cadence story ("a security/engine fix required in every binary") names the mechanism that detects such fixes.

🤖 Generated with Claude Code

Resolves Dependabot alert #1 (high): lz4_flex 0.10.0, RUSTSEC-2026-0041 /
CVE-2026-32829 - LZ4 block decompression can leak uninitialized or
reused-buffer memory on invalid input.

lz4_flex enters the graph only via zenoh-transport 1.9.0, which pins
lz4_flex ^0.10.0; the fix exists only in >= 0.11.6 and there is no
patched 0.10.x, so the lockfile cannot be bumped until zenoh releases
(eclipse-zenoh/zenoh#2499 is still open). zenoh's transport_compression
feature is the only thing that compiles the vulnerable decompress_into
call, and phoxal-bus never enables compression at runtime. Build zenoh
without transport_compression so the affected path is not linked into any
shipped binary; behavior is unchanged.

Also add a cargo-audit CI job (PR/push on manifest changes + daily
schedule) so future RUSTSEC advisories are caught without waiting for a
Dependabot match, with .cargo/audit.toml carrying a justified, removable
ignore for each advisory that has no upstream fix today.

The first audit run surfaced additional advisories, addressed here:
- quinn-proto 0.11.14 -> 0.11.15 (RUSTSEC-2026-0185, high, reachable QUIC
  remote memory exhaustion): in-semver fix.
- anyhow 1.0.102 -> 1.0.103 (RUSTSEC-2026-0190, unsound downcast_mut):
  in-semver fix.
- quick-xml 0.36 via urdf-rs (RUSTSEC-2026-0194/0195) and rsa via zenoh
  auth_pubkey (RUSTSEC-2023-0071): documented ignores; neither is
  reachable in phoxal (URDF is parsed only from local component files;
  zenoh public-key auth is never configured) and neither has a usable
  upstream fix yet.

Verified: cargo tree confirms transport_compression is gone from the
resolved feature set; cargo audit exits 0; cargo test passes; cargo
check --workspace --all-targets passes.
@jBernavaPrah jBernavaPrah merged commit 8c07103 into main Jul 2, 2026
6 checks passed
@jBernavaPrah jBernavaPrah deleted the fix/rustsec-2026-0041-lz4-flex branch July 2, 2026 12:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant