sayanarijit / qrscan Goto Github PK

Memory corruption, denial of service, and arbitrary code execution in libgit2

The libgit2 project fixed three security issues in the 1.7.2 release. These issues are:

• The git_revparse_single function can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in the git2 crate via the Repository::revparse_single method.
• The git_index_add function may cause heap corruption and possibly lead to arbitrary code execution. This function is exposed in the git2 crate via the Index::add method.
• The smart transport negotiation may experience an out-of-bounds read when a remote server did not advertise capabilities.

The libgit2-sys crate bundles libgit2, or optionally links to a system libgit2 library. In either case, versions of the libgit2 library less than 1.7.2 are vulnerable. The 0.16.2 release of libgit2-sys bundles the fixed version of 1.7.2, and requires a system libgit2 version of at least 1.7.2.

It is recommended that all users upgrade.

See advisory page for additional details.

ansi_term is Unmaintained

The maintainer has advised that this crate is deprecated and will not receive any maintenance.

The crate does not seem to have much dependencies and may or may not be ok to use as-is.

Last release seems to have been three years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

• anstyle
• console
• nu-ansi-term
• owo-colors
• stylish
• yansi

Dependency Specific Migration(s)

• structopt, clap2

See advisory page for additional details.

I am using the prebuilt binaries in the releases page in Windows, and I get this error when I try to run the qrscan command:

error: qrscan: Could not get device property Devices: Not Found

I did a test with a skewed image (trapezoid), a QR code on a computer screen shot with a phone: qrscan will not recognize the QR code, probably because of the surroundings, because when I crop the image to remove those, the QR code is recognized & decoded fine.

Lower part of the original image:

Commands:

As you can see, cropping does the trick with qrscan… and zbarimg doesn't work in either case.

PS: lower part of the image after cropping, but still skewed:

git clone https://github.com/sayanarijit/qrscan.git
cd qrscan
cargo install --locked --force qrscan

 Compiling flume v0.10.14
  Compiling image v0.23.14
  Compiling clap v3.2.22
  Compiling v4l2-sys-mit v0.2.0
  Compiling rqrr v0.4.0
  Compiling viuer v0.5.3
  Compiling qrcode v0.12.0
  Compiling mozjpeg v0.8.24
  Compiling v4l v0.12.1
  Compiling nokhwa v0.9.4
  Compiling qrscan v0.1.7
error[E0716]: temporary value dropped while borrowed
  --> /home/rvl/.cargo/registry/src/github.com-1ecc6299db9ec823/qrscan-0.1.7/src/main.rs:149:21
   |
149 |     let mut stdin = std::io::stdin().lock();
   |                     ^^^^^^^^^^^^^^^^       - temporary value is freed at the end of this statement
   |                     |
   |                     creates a temporary which is freed while still in use
150 |     stdin.read_to_end(&mut buf)?;
   |     --------------------------- borrow later used here
   |
   = note: consider using a `let` binding to create a longer lived value

For more information about this error, try `rustc --explain E0716`.
error: failed to compile `qrscan v0.1.7`, intermediate artifacts can be found at `/tmp/cargo-installr5Mk2D`

Caused by:
 could not compile `qrscan` due to previous error

System: Linux Arch and Also on Linux Mint 20.1
18:21 $ cargo --version
cargo 1.60.0 (d1fd9fe 2022-03-01)
18:25 $ rustc --version
rustc 1.60.0 (7737e0b5c 2022-04-04)

If any other info is needed please let me know.

cargo install --locked --force qrscan

....

error[E0716]: temporary value dropped while borrowed
   --> /home/user/.cargo/registry/src/github.com-1ecc6299db9ec823/qrscan-0.1.6/src/main.rs:149:21
    |
149 |     let mut stdin = std::io::stdin().lock();
    |                     ^^^^^^^^^^^^^^^^       - temporary value is freed at the end of this statement
    |                     |
    |                     creates a temporary which is freed while still in use
150 |     stdin.read_to_end(&mut buf)?;
    |     --------------------------- borrow later used here
    |
    = note: consider using a `let` binding to create a longer lived value

For more information about this error, try `rustc --explain E0716`.
error: failed to compile `qrscan v0.1.6`, intermediate artifacts can be found at `/tmp/cargo-installGioEDO`

Caused by:
  could not compile `qrscan` due to previous error

According to the docs this is who to fix it.

A temporary value is being dropped while a borrow is still in active use.

Erroneous code example:

fn foo() -> i32 { 22 }
fn bar(x: &i32) -> &i32 { x }
let p = bar(&foo());
         // ------ creates a temporary
let q = *p;

Here, the expression &foo() is borrowing the expression foo(). As foo() is
a call to a function, and not the name of a variable, this creates a
temporary -- that temporary stores the return value from foo() so that it
can be borrowed. You could imagine that let p = bar(&foo()); is equivalent to
the following, which uses an explicit temporary variable.

Erroneous code example:

let p = {
  let tmp = foo(); // the temporary
  bar(&tmp) // error: `tmp` does not live long enough
}; // <-- tmp is freed as we exit this block
let q = p;

Whenever a temporary is created, it is automatically dropped (freed) according
to fixed rules. Ordinarily, the temporary is dropped at the end of the enclosing
statement -- in this case, after the let. This is illustrated in the example
above by showing that tmp would be freed as we exit the block.

To fix this problem, you need to create a local variable to store the value in
rather than relying on a temporary. For example, you might change the original
program to the following:

fn foo() -> i32 { 22 }
fn bar(x: &i32) -> &i32 { x }
let value = foo(); // dropped at the end of the enclosing block
let p = bar(&value);
let q = *p;

By introducing the explicit let value, we allocate storage that will last
until the end of the enclosing block (when value goes out of scope). When we
borrow &value, we are borrowing a local variable that already exists, and
hence no temporary is created.

Temporaries are not always dropped at the end of the enclosing statement. In
simple cases where the & expression is immediately stored into a variable, the
compiler will automatically extend the lifetime of the temporary until the end
of the enclosing block. Therefore, an alternative way to fix the original
program is to write let tmp = &foo() and not let tmp = foo():

fn foo() -> i32 { 22 }
fn bar(x: &i32) -> &i32 { x }
let value = &foo();
let p = bar(value);
let q = *p;

Here, we are still borrowing foo(), but as the borrow is assigned directly
into a variable, the temporary will not be dropped until the end of the
enclosing block. Similar rules apply when temporaries are stored into aggregate
structures like a tuple or struct:

// Here, two temporaries are created, but
// as they are stored directly into `value`,
// they are not dropped until the end of the
// enclosing block.
fn foo() -> i32 { 22 }
let value = (&foo(), &foo());

Multiple issues involving quote API

Issue 1: Failure to quote characters

Affected versions of this crate allowed the bytes { and \xa0 to appear
unquoted and unescaped in command arguments.

If the output of quote or join is passed to a shell, then what should be a
single command argument could be interpreted as multiple arguments.

This does not directly allow arbitrary command execution (you can't inject a
command substitution or similar). But depending on the command you're running,
being able to inject multiple arguments where only one is expected could lead
to undesired consequences, potentially including arbitrary command execution.

The flaw was corrected in version 1.2.1 by escaping additional characters.
Updating to 1.3.0 is recommended, but 1.2.1 offers a more minimal fix if
desired.

Workaround: Check for the bytes { and \xa0 in quote/join input or
output.

(Note: { is problematic because it is used for glob expansion. \xa0 is
problematic because it's treated as a word separator in specific
environments.)

Issue 2: Dangerous API w.r.t. nul bytes

Version 1.3.0 deprecates the quote and join APIs in favor of try_quote
and try_join, which behave the same except that they have Result return
type, returning Err if the input contains nul bytes.

Strings containing nul bytes generally cannot be used in Unix command arguments
or environment variables, and most shells cannot handle nul bytes even
internally. If you try to pass one anyway, then the results might be
security-sensitive in uncommon scenarios. More details here.

Due to the low severity, the behavior of the original quote and join APIs
has not changed; they continue to allow nuls.

Workaround: Manually check for nul bytes in quote/join input or output.

Issue 3: Lack of documentation for interactive shell risks

The quote family of functions does not and cannot escape control characters.
With non-interactive shells this is perfectly safe, as control characters have
no special effect. But if you writing directly to the standard input of an
interactive shell (or through a pty), then control characters can cause
misbehavior including arbitrary command injection.

This is essentially unfixable, and has not been patched. But as of version
1.3.0, documentation has been added.

Future versions of shlex may add API variants that avoid the issue at the
cost of reduced portability.

See advisory page for additional details.

Tried installing on fresh copy of Ubuntu 22.04 and 20.04 and am receiving this error both times:

Compiling nasm-rs v0.2.4
error: failed to run custom build command for v4l2-sys-mit v0.2.0

Caused by:
process didn't exit successfully: /tmp/cargo-installNHPPng/release/build/v4l2-sys-mit-3b1612bc27ecc5ea/build-script-build (exit status: 101)
--- stderr
thread 'main' panicked at 'Unable to find libclang: "couldn't find any valid shared libraries matching: ['libclang.so', 'libclang-.so', 'libclang.so.', 'libclang-.so.'], set the LIBCLANG_PATH environment variable to a path where one of these files can be found (invalid: [])"', /root/.cargo/registry/src/github.com-1ecc6299db9ec823/bindgen-0.56.0/src/lib.rs:1922:31
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace
error: failed to compile qrscan v0.1.7, intermediate artifacts can be found at /tmp/cargo-installNHPPng