fix(deps): mitigate lz4_flex RUSTSEC-2026-0041 and add cargo-audit CI#139
Merged
Conversation
Resolves Dependabot alert #1 (high): lz4_flex 0.10.0, RUSTSEC-2026-0041 / CVE-2026-32829 - LZ4 block decompression can leak uninitialized or reused-buffer memory on invalid input. lz4_flex enters the graph only via zenoh-transport 1.9.0, which pins lz4_flex ^0.10.0; the fix exists only in >= 0.11.6 and there is no patched 0.10.x, so the lockfile cannot be bumped until zenoh releases (eclipse-zenoh/zenoh#2499 is still open). zenoh's transport_compression feature is the only thing that compiles the vulnerable decompress_into call, and phoxal-bus never enables compression at runtime. Build zenoh without transport_compression so the affected path is not linked into any shipped binary; behavior is unchanged. Also add a cargo-audit CI job (PR/push on manifest changes + daily schedule) so future RUSTSEC advisories are caught without waiting for a Dependabot match, with .cargo/audit.toml carrying a justified, removable ignore for each advisory that has no upstream fix today. The first audit run surfaced additional advisories, addressed here: - quinn-proto 0.11.14 -> 0.11.15 (RUSTSEC-2026-0185, high, reachable QUIC remote memory exhaustion): in-semver fix. - anyhow 1.0.102 -> 1.0.103 (RUSTSEC-2026-0190, unsound downcast_mut): in-semver fix. - quick-xml 0.36 via urdf-rs (RUSTSEC-2026-0194/0195) and rsa via zenoh auth_pubkey (RUSTSEC-2023-0071): documented ignores; neither is reachable in phoxal (URDF is parsed only from local component files; zenoh public-key auth is never configured) and neither has a usable upstream fix yet. Verified: cargo tree confirms transport_compression is gone from the resolved feature set; cargo audit exits 0; cargo test passes; cargo check --workspace --all-targets passes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Mitigates the high-severity Dependabot alert #1 -
lz4_flex0.10.0, RUSTSEC-2026-0041 / CVE-2026-32829 / GHSA-vvp9-7p8x-rfvv: decompressing invalid LZ4 block data can leak uninitialized memory or reused-buffer contents.It also adds the
cargo auditCI job so future RUSTSEC advisories are caught without waiting for a Dependabot match, and fixes a second high-severity advisory (quinn-proto) that the first audit run surfaced.Why the lockfile cannot simply be bumped
lz4_flexis pulled in solely byzenoh-transport1.9.0 (viazenoh), which pinslz4_flex ^0.10.0.lz4_flex>= 0.11.6 / >= 0.12.1; every 0.11.x below 0.11.6 is yanked and there is no patched 0.10.x backport, so no semver-compatible update exists.Reachability
lz4_flex::block::decompress_intoand friends. zenoh-transport calls exactlylz4_flex::block::decompress_intowith a pooled (reused) output buffer inRBatch::initialize(io/zenoh-transport/src/common/batch.rs), i.e. the reused-buffer leak scenario from the advisory.transport_compressionfeature, which was enabled in every shipped binary (services, drivers) via zenoh's default features.phoxal-bus'szenoh_config()(phoxal-bus/src/session.rs) never enables it and exposes no way for users to.Changes
zenohdependency: default features minustransport_compression.The affected code path is no longer compiled into any shipped binary. No behavior change - phoxal never negotiates compression. Cargo.lock is intentionally untouched by this part:
lz4_flexis a non-optional dependency ofzenoh-transport, so the crate stays in the graph (and the Dependabot alert stays open) until zenoh ships the bump; its code is simply unreachable and unlinked.cargo update -p quinn-proto0.11.14 -> 0.11.15, fixing RUSTSEC-2026-0185 (high, remote memory exhaustion in QUIC stream reassembly - reachable, since zenoh's QUIC transport is compiled in). Surfaced by the first localcargo auditrun; in-semver patch.security-auditworkflow (.github/workflows/security-audit.yml):cargo auditon PRs/pushes touching manifests, plus a daily schedule - advisories land independently of commits, so the schedule is the trigger that matters..cargo/audit.tomlwith per-entry justification and removal condition for advisories that have no upstream fix today:RUSTSEC-2026-0041(lz4_flex, this alert) - mitigated as above; remove when zenoh releases withlz4_flex>= 0.11.6.RUSTSEC-2026-0194/RUSTSEC-2026-0195(quick-xml0.36 viaurdf-rs0.9.0, DoS class) - urdf-rs 0.9.0 is the latest release and pins^0.36; phoxal parses URDF only from local, operator-installed component definitions, never network input. Remove when urdf-rs releases with quick-xml >= 0.41 (openrr/urdf-rs#134).RUSTSEC-2023-0071(rsaMarvin timing side channel via zenohauth_pubkey) - no fixed rsa release exists anywhere; phoxal never configures zenoh public-key auth at runtime.Verification
cargo tree -p zenoh-transport -f '{f}'confirmstransport_compressionis gone from the resolved feature set.cargo auditpasses locally with the ignore file (4 remaining items are warnings - unmaintained/unsound/yanked - which do not fail the job).cargo testpasses across the workspace.Follow-ups
lz4_flex>= 0.11.6: bump zenoh, restore default features (or keep the trimmed list), drop theRUSTSEC-2026-0041ignore. The Dependabot alert auto-resolves at that point.tmp/framework-rewrite/workspace-and-ci.mdin phoxal/organization) does not currently document the cargo-audit job - worth adding it to the plan so the rebuild-cadence story ("a security/engine fix required in every binary") names the mechanism that detects such fixes.🤖 Generated with Claude Code