From d31a0ce3919930f0ac93fab46a070b3cdaac2f59 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Mon, 7 Oct 2024 11:56:39 -0400 Subject: [PATCH] Upgrade futures- crates to 0.3.31 to fix use after free futures-util 0.3.30 was yanked because it had a use after free, see . --- Cargo.lock | 32 ++++----- supply-chain/audits.toml | 49 +++++++++++++ supply-chain/imports.lock | 148 +++++++++++--------------------------- 3 files changed, 105 insertions(+), 124 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 757db5e73..77e85463e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -264,30 +264,30 @@ dependencies = [ [[package]] name = "futures-channel" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eac8f7d7865dcb88bd4373ab671c8cf4508703796caa2b1985a9ca867b3fcb78" +checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10" dependencies = [ "futures-core", ] [[package]] name = "futures-core" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dfc6580bb841c5a68e9ef15c77ccc837b40a7504914d52e47b8b0e9bbda25a1d" +checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e" [[package]] name = "futures-io" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a44623e20b9681a318efdd71c299b6b222ed6f231972bfe2f224ebad6311f0c1" +checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6" [[package]] name = "futures-macro" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87750cf4b7a4c0625b1529e4c543c2182106e4dedc60a2a6455e00d212c489ac" +checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650" dependencies = [ "proc-macro2", "quote", @@ -296,21 +296,21 @@ dependencies = [ [[package]] name = "futures-sink" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9fb8e00e87438d937621c1c6269e53f536c14d3fbd6a042bb24879e57d474fb5" +checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7" [[package]] name = "futures-task" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38d84fa142264698cdce1a9f9172cf383a0c82de1bddcf3092901442c4097004" +checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988" [[package]] name = "futures-util" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d6401deb83407ab3da39eba7e33987a73c3df0c82b4bb5813ee871c19c41d48" +checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81" dependencies = [ "futures-core", "futures-io", @@ -995,9 +995,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.48" +version = "2.0.58" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0f3531638e407dfc0814761abb7c00a5b54992b849452a0646b7f65c9f770f3f" +checksum = "44cfb93f38070beee36b3fef7d4f5a16f27751d94b187b666a5cc5e9b0d30687" dependencies = [ "proc-macro2", "quote", diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 9fe860cb3..8bbd9f421 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -140,6 +140,20 @@ start = "2023-08-15" end = "2024-08-29" notes = "Rust Project member" +[[trusted.futures-channel]] +criteria = "safe-to-deploy" +user-id = 33035 # Taiki Endo (taiki-e) +start = "2020-10-05" +end = "2025-04-07" +notes = "Rust Project member" + +[[trusted.futures-core]] +criteria = "safe-to-deploy" +user-id = 33035 # Taiki Endo (taiki-e) +start = "2020-10-05" +end = "2025-04-07" +notes = "Rust Project member" + [[trusted.futures-io]] criteria = "safe-to-deploy" user-id = 33035 # Taiki Endo (taiki-e) @@ -147,6 +161,13 @@ start = "2020-10-05" end = "2024-08-29" notes = "Rust Project member" +[[trusted.futures-io]] +criteria = "safe-to-deploy" +user-id = 33035 # Taiki Endo (taiki-e) +start = "2020-10-05" +end = "2025-04-07" +notes = "Rust Project member" + [[trusted.futures-macro]] criteria = "safe-to-deploy" user-id = 33035 # Taiki Endo (taiki-e) @@ -154,6 +175,13 @@ start = "2020-10-05" end = "2024-08-29" notes = "Rust Project member" +[[trusted.futures-macro]] +criteria = "safe-to-deploy" +user-id = 33035 # Taiki Endo (taiki-e) +start = "2020-10-05" +end = "2025-04-07" +notes = "Rust Project member" + [[trusted.futures-sink]] criteria = "safe-to-deploy" user-id = 33035 # Taiki Endo (taiki-e) @@ -161,6 +189,27 @@ start = "2020-10-05" end = "2024-08-29" notes = "Rust Project member" +[[trusted.futures-sink]] +criteria = "safe-to-deploy" +user-id = 33035 # Taiki Endo (taiki-e) +start = "2020-10-05" +end = "2025-04-07" +notes = "Rust Project member" + +[[trusted.futures-task]] +criteria = "safe-to-deploy" +user-id = 33035 # Taiki Endo (taiki-e) +start = "2019-07-29" +end = "2025-04-07" +notes = "Rust Project member" + +[[trusted.futures-util]] +criteria = "safe-to-deploy" +user-id = 33035 # Taiki Endo (taiki-e) +start = "2020-10-05" +end = "2025-04-07" +notes = "Rust Project member" + [[trusted.h2]] criteria = "safe-to-deploy" user-id = 359 # Sean McArthur (seanmonstar) diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 95084e02f..beeaddcaf 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -29,23 +29,51 @@ user-id = 980 user-login = "Byron" user-name = "Sebastian Thiel" +[[publisher.futures-channel]] +version = "0.3.31" +when = "2024-10-05" +user-id = 33035 +user-login = "taiki-e" +user-name = "Taiki Endo" + +[[publisher.futures-core]] +version = "0.3.31" +when = "2024-10-05" +user-id = 33035 +user-login = "taiki-e" +user-name = "Taiki Endo" + [[publisher.futures-io]] -version = "0.3.30" -when = "2023-12-24" +version = "0.3.31" +when = "2024-10-05" user-id = 33035 user-login = "taiki-e" user-name = "Taiki Endo" [[publisher.futures-macro]] -version = "0.3.30" -when = "2023-12-24" +version = "0.3.31" +when = "2024-10-05" user-id = 33035 user-login = "taiki-e" user-name = "Taiki Endo" [[publisher.futures-sink]] -version = "0.3.30" -when = "2023-12-24" +version = "0.3.31" +when = "2024-10-05" +user-id = 33035 +user-login = "taiki-e" +user-name = "Taiki Endo" + +[[publisher.futures-task]] +version = "0.3.31" +when = "2024-10-05" +user-id = 33035 +user-login = "taiki-e" +user-name = "Taiki Endo" + +[[publisher.futures-util]] +version = "0.3.31" +when = "2024-10-05" user-id = 33035 user-login = "taiki-e" user-name = "Taiki Endo" @@ -211,13 +239,6 @@ user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" -[[publisher.syn]] -version = "2.0.48" -when = "2024-01-04" -user-id = 3618 -user-login = "dtolnay" -user-name = "David Tolnay" - [[publisher.tokio]] version = "1.36.0" when = "2024-02-02" @@ -600,37 +621,6 @@ that the RNG here is not cryptographically secure. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.google.audits.futures-channel]] -who = "George Burgess IV " -criteria = "safe-to-run" -version = "0.3.28" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" - -[[audits.google.audits.futures-core]] -who = "George Burgess IV " -criteria = "safe-to-run" -version = "0.3.28" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" - -[[audits.google.audits.futures-task]] -who = "George Burgess IV " -criteria = "safe-to-run" -version = "0.3.28" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" - -[[audits.google.audits.futures-util]] -who = "George Burgess IV " -criteria = "safe-to-run" -version = "0.3.28" -notes = """ -There's a custom xorshift-based `random::shuffle` implementation in -src/async_await/random.rs. This is `doc(hidden)` and seems to exist just so -that `futures-macro::select` can be unbiased. Sicne xorshift is explicitly not -intended to be a cryptographically secure algorithm, it is not considered -crypto. -""" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" - [[audits.google.audits.gimli]] who = "George Burgess IV " criteria = "safe-to-run" @@ -910,6 +900,12 @@ delta = "0.4.4 -> 0.5.5" notes = "Reviewed at https://fxrev.dev/946307" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.syn]] +who = "Ying Hsu " +criteria = "safe-to-run" +version = "2.0.58" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.sync_wrapper]] who = "ChromeOS" criteria = "safe-to-run" @@ -1259,70 +1255,6 @@ criteria = "safe-to-deploy" delta = "0.3.3 -> 0.3.8" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.futures-channel]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.3.28 -> 0.3.29" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.futures-channel]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.3.29 -> 0.3.30" -notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.futures-core]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.3.28 -> 0.3.29" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.futures-core]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.3.29 -> 0.3.30" -notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.futures-task]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.3.28 -> 0.3.29" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.futures-task]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.3.29 -> 0.3.30" -notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.futures-util]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.3.28 -> 0.3.29" -notes = """ -Only change to `unsafe` code is to add a `Fut: Send` bound to the -`unsafe impl Sync for FuturesUnordered`. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.futures-util]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.3.29 -> 0.3.30" -notes = """ -- Removes `build.rs` now that it can rely on the `target_has_atomic` attribute. -- Almost all changes to `unsafe` blocks are to either move them around, or - replace them with safe method calls. -- One new `unsafe` block is added for a slice lifetime transmutation. The slice - reconstruction is obviously correct. AFAICT the lifetime transmutation is also - correct; the slice's lifetime logically comes from the `AsyncBufRead` reader - inside `FillBuf`, rather than the `Context`. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.ipnet]] who = "Jack Grigg " criteria = "safe-to-deploy"