Skip to content

pin memmap2 version above RUSTSEC-2026-0186 fix#647

Open
jamillambert wants to merge 2 commits into
rust-bitcoin:masterfrom
jamillambert:0624-RUSTSEC-2026-0186
Open

pin memmap2 version above RUSTSEC-2026-0186 fix#647
jamillambert wants to merge 2 commits into
rust-bitcoin:masterfrom
jamillambert:0624-RUSTSEC-2026-0186

Conversation

@jamillambert

Copy link
Copy Markdown
Collaborator

Pin memmap2 to a safe minimum (>= 0.9.11) for fuzzing builds so the minimum lockfile generation is not the vulnerable 0.9.9 version.

Update the lockfiles.

Closes #645

@jamillambert jamillambert requested a review from tcharding as a code owner June 24, 2026 10:58

@satsfy satsfy left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems that fuzz/generate-files.sh would rewrite fuzz/Cargo.toml, and the daily job would actually not include this new change. Fix by adding that new Cargo.toml section of memmap2 to fuzz/generate-files.sh.

@jamillambert jamillambert force-pushed the 0624-RUSTSEC-2026-0186 branch from 2a56f95 to 76d4b61 Compare June 24, 2026 15:13
@jamillambert

Copy link
Copy Markdown
Collaborator Author

Seems that fuzz/generate-files.sh would rewrite fuzz/Cargo.toml, and the daily job would actually not include this new change. Fix by adding that new Cargo.toml section of memmap2 to fuzz/generate-files.sh.

Added to fuzz/generate-files.sh.

@satsfy satsfy left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 76d4b61

@tcharding

Copy link
Copy Markdown
Member

generate-files.sh still looks stale mate. Likely it was before you touched it which is not uncommon for this script. Can you put a patch at the front of this PR that makes it so that running the script does not produce any changes.

The file was stale. Update it to match the current state of the
generated files.
Pin memmap2 to a safe minimum (>= 0.9.11) for fuzzing builds so the
minimum lockfile generation is not the vulnerable 0.9.9 version.

Update the lockfiles.
@jamillambert jamillambert force-pushed the 0624-RUSTSEC-2026-0186 branch from 76d4b61 to 3b31e93 Compare July 7, 2026 13:08
@jamillambert

Copy link
Copy Markdown
Collaborator Author

Added a patch up front to update the generate-files.sh file which was stale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

RUSTSEC-2026-0186: Unchecked pointer offset in crate memmap2

3 participants