Skip to content

Update dependencies to address Dependabot CVE reports#35

Merged
jerrysxie merged 5 commits intoOpenDevicePartnership:mainfrom
jerrysxie:fix/dependabot-cve-updates
Apr 3, 2026
Merged

Update dependencies to address Dependabot CVE reports#35
jerrysxie merged 5 commits intoOpenDevicePartnership:mainfrom
jerrysxie:fix/dependabot-cve-updates

Conversation

@jerrysxie
Copy link
Copy Markdown
Contributor

@jerrysxie jerrysxie commented Mar 31, 2026

Summary

Update bootloader-tool dependencies to address CVE reports flagged by Dependabot.

Dependency Changes

Dependency Before After Type
rsa 0.9.8 0.9.10 direct
time 0.3.44 0.3.47 transitive (lock file)
probe-rs 0.29.1 0.31.0 direct
object 0.37.3 0.38 direct
espflash 3.3.0 4.3.0 transitive
xmas-elf 0.9.1 removed transitive

Dependabot Alerts & CVE Details

1. timeCVE-2026-25727 / RUSTSEC-2026-0009: Denial of Service via Stack Exhaustion

  • Severity: MEDIUM (CVSS 6.8)
  • Advisory: RUSTSEC-2026-0009 / GHSA-r6v5-fh4h-64xc
  • Affected versions: >=0.3.6, <0.3.47
  • Patched in: >=0.3.47
  • Impact: When user-provided input is parsed with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner.
  • Fix: Updated time from 0.3.44 → 0.3.47, which adds a recursion depth limit.

2. rsaCVE-2023-49092 / RUSTSEC-2023-0071: Marvin Attack (timing sidechannel)

  • Severity: MEDIUM (CVSS 5.9)
  • Advisory: RUSTSEC-2023-0071 / GHSA-4grx-2x9w-596c
  • Affected versions: <=0.9.6
  • Impact: Due to a non-constant-time implementation, information about the private key is leaked through timing information observable over the network. An attacker may be able to use that information to recover the key.
  • Note: The upstream rsa crate has no fully patched version yet — this advisory remains open. The update from 0.9.8 → 0.9.10 picks up the latest available improvements. This is a CLI tool, not a network service, so exposure is minimal.

3. xmas-elf — Dependabot flagged for update to 0.10

  • xmas-elf 0.9.1 was a transitive dependency via espflash 3.x (pulled in by probe-rs 0.29.1).
  • It could not be updated to 0.10 under the old version constraint.
  • Resolution: Updated probe-rs from 0.29.1 → 0.31.0, which depends on espflash ^4. espflash 4.x dropped xmas-elf entirely (replaced by the object crate), removing it from the dependency tree altogether.

Testing

  • cargo check passes successfully with all updated dependencies.

@jerrysxie
Update dependencies to address CVE reports
824e86b 
- Update rsa from 0.9.8 to 0.9.10 (RUSTSEC-2023-0071 / CVE-2023-49092)
- Update time from 0.3.44 to 0.3.47 (RUSTSEC-2026-0009 / CVE-2026-25727)
- Update probe-rs from 0.29.1 to 0.31.0
- Update object from 0.37.3 to 0.38

The probe-rs and object updates were needed because xmas-elf (a
transitive dependency via espflash 3.x) could not be updated to 0.10
under probe-rs 0.29.1. probe-rs 0.31.0 uses espflash 4.x which dropped
xmas-elf entirely, removing it from the dependency tree.
Copilot AI review requested due to automatic review settings March 31, 2026 20:57
@jerrysxie jerrysxie requested a review from a team as a code owner March 31, 2026 20:57
@github-project-automation github-project-automation bot moved this to In progress in ODP Backlog Mar 31, 2026
@jerrysxie jerrysxie added the enhancement New feature or request label Mar 31, 2026
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates bootloader-tool’s Rust dependency set to address Dependabot-reported CVEs and remove a flagged transitive dependency (xmas-elf) by moving to newer probe-rs/espflash versions.

Changes:

  • Bump direct dependencies: probe-rs to 0.31.0, object to 0.38, and rsa to 0.9.10.
  • Refresh Cargo.lock to pull in patched time (0.3.47) and updated transitive dependencies, including espflash 4.3.0.
  • Remove xmas-elf from the resolved dependency tree via the updated espflash dependency graph.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
bootloader-tool/Cargo.toml Updates direct dependency versions to newer, security-aligned releases.
bootloader-tool/Cargo.lock Locks updated transitive dependency graph (notably time patch and xmas-elf removal).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jerrysxie jerrysxie self-assigned this Mar 31, 2026
RobertZ2011
RobertZ2011 previously approved these changes Mar 31, 2026
View reviewed changes
kurtjd
kurtjd previously approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown

@kurtjd kurtjd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved pending fix of warning.

@jerrysxie jerrysxie dismissed stale reviews from kurtjd and RobertZ2011 via c509f9a March 31, 2026 23:29
@jerrysxie jerrysxie enabled auto-merge (squash) March 31, 2026 23:30
Copilot AI review requested due to automatic review settings March 31, 2026 23:46
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

kurtjd
kurtjd previously approved these changes Apr 1, 2026
View reviewed changes
@jerrysxie
Return Result from to_rkth instead of panicking
c7a1f7a 
- Change `to_rkth` return type from `Rkth` to `Result<Rkth, BootError>`
- Replace `.unwrap()` on hash with `.map_err(|_| BootError::Hash)?`
- Add `BootError::Hash` variant for hashing failures
- Propagate the error with `?` at the call site in `check_image`
- Fix typo: "lenght" -> "length"
@jerrysxie jerrysxie disabled auto-merge April 1, 2026 02:30
@jerrysxie jerrysxie requested a review from gjpmsft April 1, 2026 22:27
@jerrysxie
Copy link
Copy Markdown
Contributor Author

jerrysxie commented Apr 1, 2026

@gjpmsft @JamesHuard Please give this a review and let me know if there is any concern.

@jerrysxie jerrysxie merged commit 3aff8f2 into OpenDevicePartnership:main Apr 3, 2026
9 checks passed
@github-project-automation github-project-automation bot moved this from In progress to Done in ODP Backlog Apr 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kurtjd kurtjd kurtjd approved these changes

@williampMSFT williampMSFT williampMSFT approved these changes

@RobertZ2011 RobertZ2011 RobertZ2011 left review comments

@tullom tullom Awaiting requested review from tullom tullom is a code owner automatically assigned from OpenDevicePartnership/ec-code-owners

@felipebalbi felipebalbi Awaiting requested review from felipebalbi felipebalbi is a code owner automatically assigned from OpenDevicePartnership/ec-code-owners

@Wassasin Wassasin Awaiting requested review from Wassasin

@gjpmsft gjpmsft Awaiting requested review from gjpmsft

+1 more reviewer

@JamesHuard JamesHuard JamesHuard approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jerrysxie jerrysxie

Labels

enhancement New feature or request

Projects

ODP Backlog
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@jerrysxie @kurtjd @RobertZ2011 @williampMSFT @JamesHuard