fix(deps): Bump memmap2 to 0.9.11 for RUSTSEC-2026-0186#341
fix(deps): Bump memmap2 to 0.9.11 for RUSTSEC-2026-0186#341unclesp1d3r wants to merge 6 commits into
Conversation
memmap2 0.9.10 has an unsound unchecked-pointer-offset flaw in the advise_range / flush_range family (out-of-bounds offset/len passed to pointer::offset/add and on to madvise/msync). Patched in 0.9.11. Closes #340 Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
Summary by CodeRabbit
WalkthroughBumps Changesmemmap2 security patch
Estimated code review effort: 1 (Trivial) | ~2 minutes Poem
🚥 Pre-merge checks | ✅ 9 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (9 passed)
Warning Review ran into problems🔥 ProblemsThese MCP integrations need to be re-authenticated in the Integrations settings: Linear, Notion Comment |
Merge Protections🔴 1 of 4 protections blocking
🔴 🚦 Auto-queueThis rule is failing.When all merge protections are satisfied and these conditions match, this pull request will be queued automatically.
Show 3 satisfied protections🟢 Enforce conventional commitRequire conventional commit format per https://www.conventionalcommits.org/en/v1.0.0/. Skipped for bots.
🟢 Full CI must passAll CI checks must pass. Release-plz PRs are exempt because they only bump versions and changelogs (code was already tested on main), and GITHUB_TOKEN-triggered force-pushes suppress CI.
🟢 Do not merge outdated PRsMake sure PRs are within 10 commits of the base branch before merging
|
|
Tick the box to add this pull request to the merge queue (same as
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Summary
Bumps
memmap2from0.9.10to0.9.11to resolve RUSTSEC-2026-0186 (unsound), which is currently failing the dailySecurityworkflow'scargo auditjob onmain.The advisory: affected versions of
memmap2did not validate theoffset/lenparameters of theadvise_range/flush[_async]_rangefamily, allowing an out-of-bounds range to reachpointer::offset()/pointer::add()and themadvise/msyncsyscalls (UB). Fixed upstream in0.9.11.memmap2 = "0.9.10"->"0.9.11"Cargo.lockupdated viacargo update -p memmap2Verification
cargo audit-> exit 0 (advisory cleared)cargo fmt --check-> passcargo clippy --all-targets --all-features -- -D warnings-> passcargo test --all-features-> all suites pass (1202 lib + integration)Closes #340
Test plan
cargo auditcleanSecurityaudit job)