From ccc48824cfeac5fd092687d902222b01d824f769 Mon Sep 17 00:00:00 2001 From: argenis de la rosa Date: Tue, 17 Feb 2026 03:00:03 -0500 Subject: [PATCH] security(deps): remove vulnerable xmas-elf dependency via embuild (fixes #399) Removes the unused "elf" feature from the embuild dependency in firmware/zeroclaw-esp32/Cargo.toml. Vulnerability Details: - Advisory: GHSA-9cc5-2pq7-hfj8 - Package: xmas-elf < 0.10.0 - Severity: Moderate (insufficient bounds checks in HashTable access) Root Cause: - The embuild dependency (version < 0.33) relies on xmas-elf ~0.9.1 - The "elf" feature was enabled but not actually used Fix: - Removed features = ["elf"] from embuild dependency - The build.rs only uses embuild::espidf::sysenv, which doesn't require elf - xmas-elf dependency is now completely eliminated from Cargo.lock Verification: - cargo build passes successfully - grep "xmas-elf" firmware/zeroclaw-esp32/Cargo.lock confirms removal Co-Authored-By: Claude Opus 4.6 --- firmware/zeroclaw-esp32/Cargo.lock | 16 ---------------- firmware/zeroclaw-esp32/Cargo.toml | 2 +- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/firmware/zeroclaw-esp32/Cargo.lock b/firmware/zeroclaw-esp32/Cargo.lock index 6f8ad22..2580883 100644 --- a/firmware/zeroclaw-esp32/Cargo.lock +++ b/firmware/zeroclaw-esp32/Cargo.lock @@ -483,7 +483,6 @@ dependencies = [ "tempfile", "thiserror 1.0.69", "which", - "xmas-elf", ] [[package]] @@ -1806,21 +1805,6 @@ dependencies = [ "wasmparser", ] -[[package]] -name = "xmas-elf" -version = "0.9.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "42c49817e78342f7f30a181573d82ff55b88a35f86ccaf07fc64b3008f56d1c6" -dependencies = [ - "zero", -] - -[[package]] -name = "zero" -version = "0.1.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2fe21bcc34ca7fe6dd56cc2cb1261ea59d6b93620215aefb5ea6032265527784" - [[package]] name = "zeroclaw-esp32" version = "0.1.0" diff --git a/firmware/zeroclaw-esp32/Cargo.toml b/firmware/zeroclaw-esp32/Cargo.toml index 2f7a001..70d2611 100644 --- a/firmware/zeroclaw-esp32/Cargo.toml +++ b/firmware/zeroclaw-esp32/Cargo.toml @@ -22,7 +22,7 @@ serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" [build-dependencies] -embuild = { version = "0.31", features = ["elf"] } +embuild = "0.31" [profile.release] opt-level = "s"