Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update rust crate tokio to v1.18.5 [security] #80

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update rust crate tokio to v1.18.5 [security] #80

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Mar 18, 2023
edited
Loading

This PR contains the following updates:

Package Type Update Change
tokio (source) dependencies minor 1.16.1 -> 1.18.5

GitHub Vulnerability Alerts

CVE-2023-22466

Impact

When configuring a Windows named pipe server, setting pipe_mode will reset reject_remote_clients to false. If the application has previously configured reject_remote_clients to true, this effectively undoes the configuration. This also applies if reject_remote_clients is not explicitly set as this is the default configuration and is cleared by calling pipe_mode.

Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publically shared folder (SMB).

Patches

The following versions have been patched:

  • 1.23.1
  • 1.20.3
  • 1.18.4

The fix will also be present in all releases starting from version 1.24.0.

Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);

References

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients

GHSA-4q83-7cq4-p6wg

tokio::io::ReadHalf<T>::unsplit can violate the Pin contract

The soundness issue is described in the tokio/issues#5372

Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf)
is unusual, combined with the difficulty of making any arbitrary use-after-free
exploitable in Rust without doing a lot of careful alignment of data types in
the surrounding code.

The tokio feature io-util is also required to be enabled to trigger this
soundness issue.

Thanks to zachs18 reporting the issue to Tokio team responsibly and taiki-e
and carllerche appropriately responding and fixing the soundness bug.

Tokio before 0.2.0 used futures 0.1 that did not have Pin, so it is not
affected by this issue.

Release Notes

tokio-rs/tokio (tokio)

v1.18.5

Compare Source

v1.18.4

Compare Source

v1.18.3: Tokio v1.18.3

Compare Source

1.18.3 (September 27, 2022)

This release removes the dependency on the once_cell crate to restore the MSRV of the 1.18.x LTS release. (#​5048)

v1.18.2: Tokio v1.18.2

Compare Source

1.18.2 (May 5, 2022)

Add missing features for the winapi dependency. (#​4663)

v1.18.1: Tokio v1.18.1

Compare Source

1.18.1 (May 2, 2022)

The 1.18.0 release broke the build for targets without 64-bit atomics when building with tokio_unstable. This release fixes that. (#​4649)

v1.18.0: Tokio v1.18.0

Compare Source

1.18.0 (April 27, 2022)

This release adds a number of new APIs in tokio::net, tokio::signal, and
tokio::sync. In addition, it adds new unstable APIs to tokio::task (Ids
for uniquely identifying a task, and AbortHandle for remotely cancelling a
task), as well as a number of bugfixes.

Fixed
  • blocking: add missing #[track_caller] for spawn_blocking (#​4616)
  • macros: fix select macro to process 64 branches (#​4519)
  • net: fix try_io methods not calling Mio's try_io internally (#​4582)
  • runtime: recover when OS fails to spawn a new thread (#​4485)
Added
  • net: add UdpSocket::peer_addr (#​4611)
  • net: add try_read_buf method for named pipes (#​4626)
  • signal: add SignalKind Hash/Eq impls and c_int conversion (#​4540)
  • signal: add support for signals up to SIGRTMAX (#​4555)
  • sync: add watch::Sender::send_modify method (#​4310)
  • sync: add broadcast::Receiver::len method (#​4542)
  • sync: add watch::Receiver::same_channel method (#​4581)
  • sync: implement Clone for RecvError types (#​4560)
Changed
  • update mio to 0.8.1 (#​4582)
  • macros: rename tokio::select!'s internal util module (#​4543)
  • runtime: use Vec::with_capacity when building runtime (#​4553)
Documented
  • improve docs for tokio_unstable (#​4524)
  • runtime: include more documentation for thread_pool/worker (#​4511)
  • runtime: update Handle::current's docs to mention EnterGuard (#​4567)
  • time: clarify platform specific timer resolution (#​4474)
  • signal: document that Signal::recv is cancel-safe (#​4634)
  • sync: UnboundedReceiver close docs (#​4548)
Unstable

The following changes only apply when building with --cfg tokio_unstable:

  • task: add task::Id type (#​4630)
  • task: add AbortHandle type for cancelling tasks in a JoinSet (#​4530],
    [#​4640)
  • task: fix missing doc(cfg(...)) attributes for JoinSet (#​4531)
  • task: fix broken link in AbortHandle RustDoc (#​4545)
  • metrics: add initial IO driver metrics (#​4507)

v1.17.0: Tokio v1.17.0

Compare Source

1.17.0 (February 15, 2022)

This release updates the minimum supported Rust version (MSRV) to 1.49,
the mio dependency to v0.8, and the (optional) parking_lot
dependency to v0.12. Additionally, it contains several bug fixes, as
well as internal refactoring and performance improvements.

Fixed
  • time: prevent panicking in sleep with large durations (#​4495)
  • time: eliminate potential panics in Instant arithmetic on platforms
    where Instant::now is not monotonic (#​4461)
  • io: fix DuplexStream not participating in cooperative yielding
    (#​4478)
  • rt: fix potential double panic when dropping a JoinHandle (#​4430)
Changed
  • update minimum supported Rust version to 1.49 (#​4457)
  • update parking_lot dependency to v0.12.0 (#​4459)
  • update mio dependency to v0.8 (#​4449)
  • rt: remove an unnecessary lock in the blocking pool (#​4436)
  • rt: remove an unnecessary enum in the basic scheduler (#​4462)
  • time: use bit manipulation instead of modulo to improve performance
    (#​4480)
  • net: use std::future::Ready instead of our own Ready future
    (#​4271)
  • replace deprecated atomic::spin_loop_hint with hint::spin_loop
    (#​4491)
  • fix miri failures in intrusive linked lists (#​4397)
Documented
  • io: add an example for tokio::process::ChildStdin (#​4479)
Unstable

The following changes only apply when building with --cfg tokio_unstable:

  • task: fix missing location information in tracing spans generated by
    spawn_local (#​4483)
  • task: add JoinSet for managing sets of tasks (#​4335)
  • metrics: fix compilation error on MIPS (#​4475)
  • metrics: fix compilation error on arm32v7 (#​4453)

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/crate-tokio-vulnerability branch from 08ba41a to d3e8d45 Compare December 6, 2023 11:48
@renovate renovate bot changed the title fix(deps): update rust crate tokio to 1.18.5 [security] fix(deps): update rust crate tokio to v1.18.5 [security] Dec 6, 2023
@renovate Renovate
Copy link
Author

renovate bot commented Dec 6, 2023
edited
Loading

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock
Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --package [email protected] --precise 1.18.5
error: package ID specification `[email protected]` did not match any packages
Did you mean one of these?

  [email protected]

@renovate renovate bot force-pushed the renovate/crate-tokio-vulnerability branch from d3e8d45 to 7b1ace7 Compare August 29, 2024 02:47
@renovate Renovate
Copy link
Author

renovate bot commented Sep 17, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock
Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --package [email protected] --precise 1.18.5
error: package ID specification `[email protected]` did not match any packages
Did you mean one of these?

  [email protected]

@renovate renovate bot force-pushed the renovate/crate-tokio-vulnerability branch from 7b1ace7 to f3da229 Compare September 17, 2024 08:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies-security
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants