From 6a501f484a1f0732b93ca167b8778020ecd4d63e Mon Sep 17 00:00:00 2001 From: enricobuehler Date: Mon, 22 Jun 2026 10:32:04 +0000 Subject: [PATCH] ci(audit): ignore RUSTSEC-2023-0071 (rsa Marvin timing sidechannel) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit cargo audit fails on the rsa "Marvin Attack" advisory, which has NO fixed release (the constant-time rewrite is still unreleased upstream) and rsa is required for GameStream/Moonlight pairing. The attack targets RSA *decryption* (PKCS#1 v1.5 padding oracle); the host uses rsa ONLY for PKCS#1 v1.5 signing/verifying (gamestream/cert.rs + pairing.rs), never for decryption, so the vulnerable path is not exercised. Add the documented .cargo/audit.toml ignore with the justification. The 3 unmaintained warnings (audiopus_sys / paste / rustls-pemfile) are left visible on purpose — `cargo audit` does not fail on them, and they carry a maintenance signal. Co-Authored-By: Claude Opus 4.8 (1M context) --- .cargo/audit.toml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .cargo/audit.toml diff --git a/.cargo/audit.toml b/.cargo/audit.toml new file mode 100644 index 0000000..8456ac5 --- /dev/null +++ b/.cargo/audit.toml @@ -0,0 +1,20 @@ +# cargo-audit configuration — consumed by `.gitea/workflows/audit.yml` (`cargo audit`). +# +# Silence only advisories that are KNOWN-UNFIXABLE and either not applicable to how we use the crate +# or an accepted, documented risk. Keep this list TIGHT and justify every entry — an ignore here +# means the audit job stops flagging it, so the reasoning must hold up. +# +# NOTE: `cargo audit` (no `--deny warnings`) fails only on *vulnerabilities*, not on the +# `unmaintained` warnings (audiopus_sys / paste / rustls-pemfile). Those are left visible on purpose +# so we keep getting the maintenance signal — they do not fail CI. + +[advisories] +ignore = [ + # rsa "Marvin Attack" — a timing sidechannel in RSA *decryption* (PKCS#1 v1.5 padding oracle). + # There is NO fixed rsa release (the constant-time rewrite is still unreleased upstream), and rsa + # is required for GameStream/Moonlight pairing. Crucially, the host uses rsa ONLY for PKCS#1 v1.5 + # SIGNING / VERIFYING (gamestream/cert.rs + gamestream/pairing.rs: SigningKey / VerifyingKey / + # Signer / Verifier) — it never performs RSA decryption, which is the operation Marvin targets. + # So the vulnerable code path is not exercised. Revisit if a fixed rsa ships or we add RSA decrypt. + "RUSTSEC-2023-0071", +]