Skip to content

update dependencies to solve security vulnerability#26

Merged
felipebalbi merged 1 commit into
OpenDevicePartnership:mainfrom
felipebalbi:update-deps
Sep 22, 2025
Merged

update dependencies to solve security vulnerability#26
felipebalbi merged 1 commit into
OpenDevicePartnership:mainfrom
felipebalbi:update-deps

Conversation

@felipebalbi

Copy link
Copy Markdown
Contributor

Sorts out this known vulnerability:

installed targets:
x86_64-unknown-linux-musl
warning[unmatched-organization]: allowed 'github.com' organization was not encountered
┌─ ./deny.toml:233:12

233 │ github = ["OpenDevicePartnership"]
│ ━━━━━━━━━━━━━━━━━━━━━ no crate source fell under this organization

error[vulnerability]: Out-of-bounds access in get_disjoint_mut due to incorrect bounds check
┌─ /github/workspace/Cargo.lock:43:1

43 │ slab 0.4.10 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected

├ ID: RUSTSEC-2025-0047
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0047
├ ## Impact
The get_disjoint_mut method in slab v0.4.10 incorrectly checked if indices were within the slab's capacity instead of its length, allowing access to uninitialized memory. This could lead to undefined behavior or potential crashes.

 ## Patches
 This has been fixed in slab v0.4.11.

 ## Workarounds
 Avoid using `get_disjoint_mut` with indices that might be beyond the slab's actual length, or upgrade to v0.4.11 or later.

 ## References
 * [https://github.com/tokio-rs/slab/pull/152](https://github.com/tokio-rs/slab/pull/152)

├ Announcement: GHSA-qx2v-8332-m4fv
├ Solution: Upgrade to >=0.4.11 (try cargo update -p slab)
├ slab v0.4.10
└── tokio v1.46.1
└── (dev) tmp108 v0.3.0

warning[yanked]: detected yanked crate (try cargo update -p slab)
┌─ /github/workspace/Cargo.lock:43:1

43 │ slab 0.4.10 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ yanked version

├ slab v0.4.10
└── tokio v1.46.1
└── (dev) tmp108 v0.3.0

advisories FAILED, bans ok, licenses ok, sources ok

@felipebalbi felipebalbi self-assigned this Sep 22, 2025
@felipebalbi felipebalbi requested a review from a team as a code owner September 22, 2025 14:28
Copilot AI review requested due to automatic review settings September 22, 2025 14:28
@felipebalbi felipebalbi added the bug Something isn't working label Sep 22, 2025
@felipebalbi felipebalbi added the dependencies Pull requests that update a dependency file label Sep 22, 2025

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a security vulnerability in the slab crate by updating the tokio dependency to version 1.47.0, which includes the patched version of slab (>=0.4.11). Additionally, it removes an unused organization allowlist entry from the deny.toml configuration.

  • Updates tokio from 1.37.0 to 1.47.0 to resolve RUSTSEC-2025-0047 vulnerability
  • Removes unused "OpenDevicePartnership" organization from deny.toml allowlist
  • Bumps package version from 0.3.0 to 0.3.1

Reviewed Changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
Cargo.toml Updates tokio dependency version and bumps package version
deny.toml Removes unused GitHub organization from allowlist

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Sorts out this known vulnerability:

installed targets:
  x86_64-unknown-linux-musl
warning[unmatched-organization]: allowed 'github.com' organization  was not encountered
    ┌─ ./deny.toml:233:12
    │
233 │ github = ["OpenDevicePartnership"]
    │            ━━━━━━━━━━━━━━━━━━━━━ no crate source fell under this organization

error[vulnerability]: Out-of-bounds access in `get_disjoint_mut` due to incorrect bounds check
   ┌─ /github/workspace/Cargo.lock:43:1
   │
43 │ slab 0.4.10 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2025-0047
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0047
   ├ ## Impact
     The `get_disjoint_mut` method in slab v0.4.10 incorrectly checked if indices were within the slab's capacity instead of its length, allowing access to uninitialized memory. This could lead to undefined behavior or potential crashes.

     ## Patches
     This has been fixed in slab v0.4.11.

     ## Workarounds
     Avoid using `get_disjoint_mut` with indices that might be beyond the slab's actual length, or upgrade to v0.4.11 or later.

     ## References
     * [https://github.com/tokio-rs/slab/pull/152](https://github.com/tokio-rs/slab/pull/152)
   ├ Announcement: GHSA-qx2v-8332-m4fv
   ├ Solution: Upgrade to >=0.4.11 (try `cargo update -p slab`)
   ├ slab v0.4.10
     └── tokio v1.46.1
         └── (dev) tmp108 v0.3.0

warning[yanked]: detected yanked crate (try `cargo update -p slab`)
   ┌─ /github/workspace/Cargo.lock:43:1
   │
43 │ slab 0.4.10 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ yanked version
   │
   ├ slab v0.4.10
     └── tokio v1.46.1
         └── (dev) tmp108 v0.3.0

advisories FAILED, bans ok, licenses ok, sources ok

Signed-off-by: Felipe Balbi <febalbi@microsoft.com>
@felipebalbi felipebalbi merged commit 13cc49d into OpenDevicePartnership:main Sep 22, 2025
11 checks passed
@felipebalbi felipebalbi deleted the update-deps branch September 22, 2025 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants