Bump: libz-sys crate to address CVE #11265
Merged
+69
−16
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @chathuryaadapa, thanks for the PR. I have two questions:
cd src/runtime-rs
cargo update bumpalo@3.13.0 --precise 3.17.0
cargo update libz-sys@1.1.12 --precise 1.1.22diff --git a/src/runtime-rs/Cargo.lock b/src/runtime-rs/Cargo.lock
index d465fffdb8..c93534a280 100644
--- a/src/runtime-rs/Cargo.lock
+++ b/src/runtime-rs/Cargo.lock
@@ -68,7 +68,7 @@ version = "0.7.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fcb51a0695d8f838b1ee009b3fbf66bda078cd64590202a864a8f3e8c4315c47"
dependencies = [
- "getrandom",
+ "getrandom 0.2.10",
"once_cell",
"version_check",
]
@@ -374,9 +374,9 @@ dependencies = [
[[package]]
name = "bumpalo"
-version = "3.13.0"
+version = "3.17.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a3e2c3daef883ecc1b5d58c15adae93470a91d425f3532ba1695849656af3fc1"
+checksum = "1628fb46dfa0b37568d12e5edd512553eccf6a22a78e8bde00bb4aed84d5bdbf"
[[package]]
name = "byte-unit"
@@ -423,11 +423,13 @@ dependencies = [
[[package]]
name = "cc"
-version = "1.0.79"
+version = "1.2.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f"
+checksum = "32db95edf998450acc7881c932f94cd9b05c87b4b2599e8bab064753da4acfd1"
dependencies = [
"jobserver",
+ "libc",
+ "shlex",
]
[[package]]
@@ -1440,6 +1442,18 @@ dependencies = [
"wasi 0.11.0+wasi-snapshot-preview1",
]
+[[package]]
+name = "getrandom"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26145e563e54f2cadc477553f1ec5ee650b00862f0a58bcd12cbdc5f0ea2d2f4"
+dependencies = [
+ "cfg-if 1.0.0",
+ "libc",
+ "r-efi",
+ "wasi 0.14.2+wasi-0.2.4",
+]
+
[[package]]
name = "getset"
version = "0.1.2"
@@ -1863,10 +1877,11 @@ checksum = "af150ab688ff2122fcef229be89cb50dd66af9e01a4ff320cc137eecc9bacc38"
[[package]]
name = "jobserver"
-version = "0.1.26"
+version = "0.1.33"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "936cfd212a0155903bcbc060e316fb6cc7cbf2e1907329391ebadc1fe0ce77c2"
+checksum = "38f262f097c174adebe41eb73d66ae9c06b2844fb0da69969647bbddd9b0538a"
dependencies = [
+ "getrandom 0.3.3",
"libc",
]
@@ -1975,9 +1990,9 @@ checksum = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa"
[[package]]
name = "libz-sys"
-version = "1.1.12"
+version = "1.1.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d97137b25e321a73eef1418d1d5d2eda4d77e12813f8e6dead84bc52c5870a7b"
+checksum = "8b70e7a7df205e92a1a4cd9aaae7898dac0aa555503cc0a649494d0d60e7651d"
dependencies = [
"cc",
"cmake",
@@ -3274,6 +3289,12 @@ dependencies = [
"proc-macro2",
]
+[[package]]
+name = "r-efi"
+version = "5.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "74765f6d916ee2faa39bc8e68e4f3ed8949b48cccdac59983d287a7cb71ce9c5"
+
[[package]]
name = "rand"
version = "0.3.23"
@@ -3339,7 +3360,7 @@ version = "0.6.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
dependencies = [
- "getrandom",
+ "getrandom 0.2.10",
]
[[package]]
@@ -3384,7 +3405,7 @@ version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b"
dependencies = [
- "getrandom",
+ "getrandom 0.2.10",
"redox_syscall 0.2.16",
"thiserror 1.0.69",
]
@@ -3974,6 +3995,12 @@ dependencies = [
"tokio",
]
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
[[package]]
name = "signal-hook"
version = "0.3.17"
@@ -4916,6 +4943,15 @@ version = "0.11.0+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
+[[package]]
+name = "wasi"
+version = "0.14.2+wasi-0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9683f9a5a998d873c0d21fcbe3c083009670149a8fab228644b8bd36b2c48cb3"
+dependencies = [
+ "wit-bindgen-rt",
+]
+
[[package]]
name = "wasm-bindgen"
version = "0.2.87"
@@ -5314,6 +5350,15 @@ dependencies = [
"windows-sys 0.48.0",
]
+[[package]]
+name = "wit-bindgen-rt"
+version = "0.39.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6f42320e61fe2cfd34354ecb597f86f413484a798ba44a8ca1165c58d42da6c1"
+dependencies = [
+ "bitflags 2.9.0",
+]
+
[[package]]
name = "xattr"
version = "0.2.3" |
|
The Bumpalo bump is already covered in #11251 |
Hello @burgerdev, Thank you |
|
Thanks for adding all the details, much appreciated. I fear you need to rebase and revert some of the crate updates, because they happened in other PRs already. E.g.,
Can you share what system is reporting the |
|
One more thing: it would help review if the updates were split into individual commits (or groups of crate updates if that makes more sense). Like what @stevenhorsman did in https://github.com/kata-containers/kata-containers/pull/11251/commits. |
5c0d04a to
98de3e9
Compare
stevenhorsman
approved these changes
May 14, 2025
There was a problem hiding this comment.
I'm not sure I really follow the CVE links that github has created and see how they are relevant, but https://www.mend.io/vulnerability-database/CVE-2025-1744 and https://www.mend.io/vulnerability-database/CVE-2023-45853 do mention upgrading libz-sys to >=1.1.15, and as long as the tests pass them bumping the crates seems like a good thing anyway.
|
@chathuryaadapa - can you rebase this please to resolve the conflict and then I can run the CI tests. Thanks |
98de3e9 to
4e9ec45
Compare
|
What is going on with this PR? It was to bump libz-sys and now it's changed to a ring bump that isn't needed? |
|
After the rebase, I found that only the ring crate needed an update. Accordingly, I have updated the commit and revised the description to reflect this change. |
The libz-sys version hasn't bumped though? |
ddb4496 to
b1c2776
Compare
90b7d32 to
711fcd8
Compare
|
Apologies for the confusion |
Bump libz-sys version to update and remediate CVE-2025-1744. Signed-off-by: Adapa Chathurya <adapa.chathurya1@ibm.com>
a15fdb0 to
3d284d3
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
update libz-sys crate to remediate CVE-2025-1744