From b5fc017b1968d2e860307e4a3153285bdb030eab Mon Sep 17 00:00:00 2001 From: enricobuehler Date: Thu, 2 Jul 2026 09:51:54 +0000 Subject: [PATCH] ci(audit): ignore quick-xml build-time DoS advisories (RUSTSEC-2026-0194/0195) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit quick-xml 0.39.4 enters only via wayland-scanner, a build-time proc-macro that parses trusted crate-shipped protocol XML at compile time — never a shipped binary, never runtime/attacker-controlled input, so neither DoS is reachable. wayland-scanner 0.31.10 (latest) pins quick-xml ^0.39; the fixes land only in >=0.41, so there is nothing to bump to. Co-Authored-By: Claude Opus 4.8 (1M context) --- .cargo/audit.toml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.cargo/audit.toml b/.cargo/audit.toml index 517486f..3a410bd 100644 --- a/.cargo/audit.toml +++ b/.cargo/audit.toml @@ -34,4 +34,17 @@ ignore = [ # a constant-time rsa ships (then drop this), the host ever signs an attacker-chosen message with # this key, or any RSA decryption / key-transport using the private key is added. "RUSTSEC-2023-0071", + + # quick-xml DoS advisories (RUSTSEC-2026-0194 quadratic-time duplicate-attribute check; + # RUSTSEC-2026-0195 unbounded namespace-declaration allocation in NsReader). Both are + # exploited by feeding attacker-controlled XML to a running parser. In this tree quick-xml is + # a BUILD-TIME-ONLY, transitive dependency of `wayland-scanner` (a proc-macro that parses the + # TRUSTED wayland protocol XML files shipped with the wayland-rs crates at compile time). It is + # never linked into any shipped binary and never parses runtime/attacker-controlled input, so + # neither DoS is reachable. There is no fix to bump to: wayland-scanner 0.31.10 (latest) pins + # `quick-xml ^0.39`, and the fixes only exist in quick-xml >=0.41. Revisit (drop these) when + # wayland-scanner releases against quick-xml >=0.41, or if quick-xml is ever pulled onto a + # runtime path that parses untrusted XML. + "RUSTSEC-2026-0194", + "RUSTSEC-2026-0195", ]