unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases 3 Wiki Activity

ci(audit): ignore RUSTSEC-2023-0071 (rsa Marvin timing sidechannel)
ci / rust (push) Failing after 30s
Details
apple / swift (push) Successful in 57s
Details
ci / web (push) Successful in 38s
Details
ci / docs-site (push) Successful in 1m11s
Details
android / android (push) Successful in 3m34s
Details
deb / build-publish (push) Successful in 2m18s
Details
decky / build-publish (push) Successful in 21s
Details
ci / bench (push) Successful in 4m37s
Details
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 44s
Details
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 22s
Details
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 48s
Details
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 45s
Details
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 2m17s
Details
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 8m28s
Details
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 8m12s
Details
docker / deploy-docs (push) Successful in 22s
Details
windows-host / package (push) Successful in 3m12s
Details

Browse Source 
cargo audit fails on the rsa "Marvin Attack" advisory, which has NO fixed release
(the constant-time rewrite is still unreleased upstream) and rsa is required for
GameStream/Moonlight pairing. The attack targets RSA *decryption* (PKCS#1 v1.5
padding oracle); the host uses rsa ONLY for PKCS#1 v1.5 signing/verifying
(gamestream/cert.rs + pairing.rs), never for decryption, so the vulnerable path is
not exercised. Add the documented .cargo/audit.toml ignore with the justification.

The 3 unmaintained warnings (audiopus_sys / paste / rustls-pemfile) are left visible
on purpose — `cargo audit` does not fail on them, and they carry a maintenance signal.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Enrico Bühler
2026-06-22 10:32:04 +00:00
parent 72eeedc4da
commit 6a501f484a
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.cargo/audit.toml
+20
View File
@@ -0,0 +1,20 @@
# cargo-audit configuration — consumed by `.gitea/workflows/audit.yml` (`cargo audit`).
#
# Silence only advisories that are KNOWN-UNFIXABLE and either not applicable to how we use the crate
# or an accepted, documented risk. Keep this list TIGHT and justify every entry — an ignore here
# means the audit job stops flagging it, so the reasoning must hold up.
#
# NOTE: `cargo audit` (no `--deny warnings`) fails only on *vulnerabilities*, not on the
# `unmaintained` warnings (audiopus_sys / paste / rustls-pemfile). Those are left visible on purpose
# so we keep getting the maintenance signal — they do not fail CI.
[advisories]
ignore = [
# rsa "Marvin Attack" — a timing sidechannel in RSA *decryption* (PKCS#1 v1.5 padding oracle).
# There is NO fixed rsa release (the constant-time rewrite is still unreleased upstream), and rsa
# is required for GameStream/Moonlight pairing. Crucially, the host uses rsa ONLY for PKCS#1 v1.5
# SIGNING / VERIFYING (gamestream/cert.rs + gamestream/pairing.rs: SigningKey / VerifyingKey /
# Signer / Verifier) — it never performs RSA decryption, which is the operation Marvin targets.
# So the vulnerable code path is not exercised. Revisit if a fixed rsa ships or we add RSA decrypt.
"RUSTSEC-2023-0071",
]