From 1e967b392fd9562ecd663c8db3765109e1128bc5 Mon Sep 17 00:00:00 2001 From: GitHub Copilot Date: Sun, 19 Apr 2026 15:13:27 +0000 Subject: [PATCH] Fix GHSA-cq8v-f236-94qc: Update rand from 0.8 to 0.9.3 Update the rand crate to version 0.9.3 to fix a soundness issue that occurs when: - The log and thread_rng features are enabled - A custom logger is defined that accesses rand::rng() The vulnerability is tracked as RUSTSEC-2026-0097. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- Cargo.toml | 2 +- vulnerabilities.md | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 vulnerabilities.md diff --git a/Cargo.toml b/Cargo.toml index b1e907d..18b6f87 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -45,7 +45,7 @@ base64 = "0.22" # Real-time processing crossbeam = "0.8" parking_lot = "0.12" -rand = "0.8" # For benchmark simulation +rand = "0.9.3" # For benchmark simulation (updated to fix GHSA-cq8v-f236-94qc) # Audio processing for voice input/output rodio = "0.17" # Audio playbook diff --git a/vulnerabilities.md b/vulnerabilities.md new file mode 100644 index 0000000..f7a5af7 --- /dev/null +++ b/vulnerabilities.md @@ -0,0 +1,37 @@ +# Security Vulnerabilities for Josh-XT/OpticXT + +**Repository:** https://github.com/Josh-XT/OpticXT +**Total Alerts:** 1 +**Generated:** 2026-04-19T15:12:29.116635+00:00 + +--- + +## 1. [LOW] ✅ RESOLVED - Rand is unsound with a custom logger using rand::rng() + +- **Type:** Dependabot +- **Severity:** low +- **Package:** rand +- **Ecosystem:** rust +- **Vulnerable Range:** >= 0.7.0, < 0.9.3 +- **Patched Version:** 0.9.3 +- **Manifest File:** Cargo.toml +- **Scope:** runtime +- **Dependency Type:** unknown +- **GHSA:** GHSA-cq8v-f236-94qc +- **CWEs:** CWE-20: Improper Input Validation +- **Description:** It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met: + +- The `log` and `thread_rng` features are enabled +- A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined +- The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) +- **References:** + - https://github.com/rust-random/rand/pull/1763 + - https://rustsec.org/advisories/RUSTSEC-2026-0097.html + - https://github.com/advisories/GHSA-cq8v-f236-94qc +- **URL:** https://github.com/Josh-XT/OpticXT/security/dependabot/1 + +--- + +IMPORTANT: Do NOT commit directly to the main branch. Create a new branch named `fix/security-vulnerabilities` from the default branch, make all changes there, then open a pull request back to the default branch. + +Please fix all of the above vulnerabilities. For dependency vulnerabilities, update the affected packages to their patched versions. For code scanning issues, fix the code at the specified locations. For security advisories, review the reported vulnerability and implement the necessary code fixes to address them. \ No newline at end of file