Commit d3da261
authored
Update Rust crate memmap2 to v0.9.11 [SECURITY] (#8545)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [memmap2](https://crates.io/crates/memmap2) | workspace.dependencies |
patch | `0.9.10` → `0.9.11` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/357) for more information.
---
### Unchecked pointer offset in crate `memmap2`
[RUSTSEC-2026-0186](https://rustsec.org/advisories/RUSTSEC-2026-0186.html)
<details>
<summary>More information</summary>
#### Details
Affected versionf of `memmap2` did not perform enough validation on the
`offset` and `len` parameters of
`Mmap::[unchecked_]advise_range()`,
`MmapMut::[unchecked_]advise_ranage()`
and `MmapMut::flush[_async]_range()`.
This can cause undefined behavior due to invalid values being passed to
[`pointer::offset()`] and [`pointer::add()`]
when passing an out-of-bounds range to any of the affected functions.
The flaw was corrected in commit [`cee7cf0`] and released in version
`0.9.11`.
The invalid pointer is not dereferenced,
but it is passed to the `madvise` and `msync` syscalls and their Windows
equivalents.
[`pointer::offset()`]:
https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.offset-1
[`pointer::add()`]:
https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.add-1
[`cee7cf0`]
[https://github.com/RazrFalcon/memmap2-rs/pull/170](https://redirect.github.com/RazrFalcon/memmap2-rs/pull/170)/changes/cee7cf03a9ee095982a3c37b7aac8e3f68f1a00c
#### Severity
Unknown
#### References
- [https://crates.io/crates/memmap2](https://crates.io/crates/memmap2)
-
[https://rustsec.org/advisories/RUSTSEC-2026-0186.html](https://rustsec.org/advisories/RUSTSEC-2026-0186.html)
-
[https://github.com/RazrFalcon/memmap2-rs/issues/169](https://redirect.github.com/RazrFalcon/memmap2-rs/issues/169)
-
[https://github.com/RazrFalcon/memmap2-rs/pull/170](https://redirect.github.com/RazrFalcon/memmap2-rs/pull/170)
This data is provided by
[OSV](https://osv.dev/vulnerability/RUSTSEC-2026-0186) and the [Rust
Advisory Database](https://redirect.github.com/RustSec/advisory-db)
([CC0
1.0](https://redirect.github.com/rustsec/advisory-db/blob/main/LICENSE.txt)).
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/vortex-data/vortex).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzUuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIzNS4wIiwidGFyZ2V0QnJhbmNoIjoiZGV2ZWxvcCIsImxhYmVscyI6WyJjaGFuZ2Vsb2cvY2hvcmUiXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent f1adef2 commit d3da261
1 file changed
Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments