https://bugs.kde.org/show_bug.cgi?id=514669
Bug ID: 514669
Summary: akonadi-search: outdated, potentially
security-sensitive Rust dependencies
Classification: Frameworks and Libraries
Product: Akonadi
Version First GIT (master)
Reported In:
Platform: unspecified
OS: All
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Target Milestone: ---
The akonadi-search component (https://invent.kde.org/pim/akonadi-search) uses
Rust libraries to parse untrusted HTML.
The "html2text" library has regular releases to fix issues and move to newer
versions of the HTML parser library it uses. But the version that is used in
akonadi-search is stuck at a really old version:
https://invent.kde.org/pim/akonadi-search/-/blob/master/agent/rs/htmlparser/Cargo.toml
Version 0.6.0 was released in May 2023, the current version is 0.16 (*ten*
major versions ahead). The release notes mention fixes for various issues
(integer underflow issues, divide-by-zero bugs, infinite loops, other panics):
https://github.com/jugglerchris/rust-html2text/blob/release_0.16.5/CHANGELOG.md
Under the hood of html2text, the HTML parsing library it uses (html5ever, from
the Servo project) was updated from version 0.26 to 0.36 (-- also ten major
versions further along). The fixes and improvements that have happened here are
also missing from the currently used version of html2text.
If I remember correctly, there was an effort to set up a bot (like dependabot)
to watch dependencies in projects like this, but this doesn't appear to have
happened.
--
You are receiving this mail because:
You are watching all bug changes.
