Record cargo-vet violations for older zstd versions

When I tried to audit our previous exemption for zstd, I found two buffer overruns which were reachable from safe Rust, although not reachable from Wasmtime. I got them fixed upstream but didn't update our cargo-vet audits to reflect the issue with the older versions. Alex updated our dependencies to pull in the fixed versions in bytecodealliance#7870, and this PR notes for the benefit of anyone importing the Bytecode Alliance audit set that older versions should not be used. See gyscos/zstd-rs#231
jameysharp · Apr 1, 2024 · 834b934 · 834b934
1 parent c76e1fd
commit 834b934
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml
@@ -3231,6 +3231,12 @@ No major updates to the crate here. Small updates to `unsafe` code which are
 refactorings of what was there prior.
 """
 
+[[audits.zstd]]
+who = "Jamey Sharp <[email protected]>"
+criteria = "safe-to-deploy"
+violation = "<0.13.0"
+notes = "Buffer overrun fixed in https://github.com/gyscos/zstd-rs/pull/231"
+
 [[audits.zstd-safe]]
 who = "Alex Crichton <[email protected]>"
 criteria = "safe-to-deploy"
@@ -3241,6 +3247,12 @@ Does contain new unsafe code, notably an implementation of an internal trait for
 the standard library `io::Cursor` type.
 """
 
+[[audits.zstd-safe]]
+who = "Jamey Sharp <[email protected]>"
+criteria = "safe-to-deploy"
+violation = "<7.0.0"
+notes = "Buffer overrun fixed in https://github.com/gyscos/zstd-rs/pull/231"
+
 [[trusted.aho-corasick]]
 criteria = "safe-to-deploy"
 user-id = 189 # Andrew Gallant (BurntSushi)