[Pkg-rust-maintainers] Bug#1050299: rust-webpki: RUSTSEC-2023-0052

Reinhard Tartler siretart at tauware.de
Fri Sep 8 21:53:18 BST 2023


Hi Salvatore,

thanks for filing this bug.

> Please see https://rustsec.org/advisories/RUSTSEC-2023-0052.html .

This page is giving a very general description of the problem:

>> When this crate is given a pathological certificate chain to validate, it
>> will spend CPU time exponential with the number of candidate certificates at
>> each step of path building.

>>Both TLS clients and TLS servers that accept client certificate are affected.


The page is also indicating that the issue was fixed in version 0.22.1, hence,
I've packaged that version and closed this bug. While this might not address
all concerns, (at least https://github.com/briansmith/webpki/issues/69
indicates that there is more work to do),
https://github.com/briansmith/webpki/issues/69#issuecomment-1699894848
indicates:


>> There is a webpki 0.22.1 release that implements the signature count mitigation.


Additional, you are asking:

> Should rust-webpki be removed from Debian testing and unstable?

```
siretart at coccia:~$ dak rm -nR  rust-webpki
Will remove the following packages from unstable:

librust-webpki-dev |   0.22.0-2 | amd64, arm64, armel, armhf, i386
rust-webpki |   0.22.0-2 | source

Maintainer: Debian Rust Maintainers <pkg-rust-maintainers at alioth-lists.debian.net>

------------------- Reason -------------------

----------------------------------------------

Checking reverse dependencies...
No dependency problem found.
```

I think this indicates that it can indeed be safely removed from Debian? I'm
CC'ing developers that have made uploads to this packages in the past for
additiponal opinions as I suspect the issue is more subtle than that.

-rt



More information about the Pkg-rust-maintainers mailing list