Skip to content

Commit d3da261

Browse files
Update Rust crate memmap2 to v0.9.11 [SECURITY] (#8545)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [memmap2](https://crates.io/crates/memmap2) | workspace.dependencies | patch | `0.9.10` → `0.9.11` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/357) for more information. --- ### Unchecked pointer offset in crate `memmap2` [RUSTSEC-2026-0186](https://rustsec.org/advisories/RUSTSEC-2026-0186.html) <details> <summary>More information</summary> #### Details Affected versionf of `memmap2` did not perform enough validation on the `offset` and `len` parameters of `Mmap::[unchecked_]advise_range()`, `MmapMut::[unchecked_]advise_ranage()` and `MmapMut::flush[_async]_range()`. This can cause undefined behavior due to invalid values being passed to [`pointer::offset()`] and [`pointer::add()`] when passing an out-of-bounds range to any of the affected functions. The flaw was corrected in commit [`cee7cf0`] and released in version `0.9.11`. The invalid pointer is not dereferenced, but it is passed to the `madvise` and `msync` syscalls and their Windows equivalents. [`pointer::offset()`]: https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.offset-1 [`pointer::add()`]: https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.add-1 [`cee7cf0`] [https://github.com/RazrFalcon/memmap2-rs/pull/170](https://redirect.github.com/RazrFalcon/memmap2-rs/pull/170)/changes/cee7cf03a9ee095982a3c37b7aac8e3f68f1a00c #### Severity Unknown #### References - [https://crates.io/crates/memmap2](https://crates.io/crates/memmap2) - [https://rustsec.org/advisories/RUSTSEC-2026-0186.html](https://rustsec.org/advisories/RUSTSEC-2026-0186.html) - [https://github.com/RazrFalcon/memmap2-rs/issues/169](https://redirect.github.com/RazrFalcon/memmap2-rs/issues/169) - [https://github.com/RazrFalcon/memmap2-rs/pull/170](https://redirect.github.com/RazrFalcon/memmap2-rs/pull/170) This data is provided by [OSV](https://osv.dev/vulnerability/RUSTSEC-2026-0186) and the [Rust Advisory Database](https://redirect.github.com/RustSec/advisory-db) ([CC0 1.0](https://redirect.github.com/rustsec/advisory-db/blob/main/LICENSE.txt)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/vortex-data/vortex). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzUuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIzNS4wIiwidGFyZ2V0QnJhbmNoIjoiZGV2ZWxvcCIsImxhYmVscyI6WyJjaGFuZ2Vsb2cvY2hvcmUiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
1 parent f1adef2 commit d3da261

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

Cargo.lock

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)