deps: bump rand to 0.9.4 in gen-datasets (GHSA-cq8v-f236-94qc)#98
Merged
deps: bump rand to 0.9.4 in gen-datasets (GHSA-cq8v-f236-94qc)#98
Conversation
rand 0.9.0-0.9.2 has a soundness bug (aliased &mut in ThreadRng's RngCore methods when a custom logger re-enters rand::rng() during a reseed). Patched in 0.9.3; cargo update picked 0.9.4. The trigger conditions (custom log::Log impl + thread_rng feature + trace-level logging + reseed mid-call) don't apply to the dataset generator, which is a one-shot CLI with no logger, so this is hygiene only. The only Cargo.lock with rand is benchmarks/gen-datasets/ (a dev tool, not a published crate). The deterministic fixtures (api_response.pb, analytics_event.pb, google_message1_proto3.pb) are byte-identical under 0.9.4 - verified with task gen-datasets - so no fixture churn. Drive-by Taskfile doc fix: media_frame.pb is also process- nondeterministic (map<string, bytes> attachments field encodes in HashMap iteration order), same as log_record.pb. The doc only mentioned log_record.pb because media_frame.pb was added later in PR #61.
|
All contributors have signed the CLA ✍️ ✅ |
asacamano
approved these changes
May 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves Dependabot alert #2 — GHSA-cq8v-f236-94qc,
rand0.9.0–0.9.2 unsound (low severity).What the advisory is
rand'sRngCoremethods onThreadRnguseunsafeto cast*mut BlockRng<ReseedingCore>to&mut. If a customlog::Logimplementation re-entersrand::rng()while the inner RNG is mid-reseed (which happens every 64 KiB of output), an aliased&mutis constructed — UB. Patched inrand0.9.3.Why the risk is ~zero for buffa
randonly appears inbenchmarks/gen-datasets/Cargo.lock— a one-shot dataset-generator CLI. It is not a dependency of any of the 7 published crates, the workspaceCargo.lock, the examples, or the other benchmark crates.rand::rng()from inside a log message, with thelogandthread_rngfeatures enabled, at trace-level logging, during a reseed event. The dataset generator has no logger.This is hygiene, not a fix for an exploitable issue. No release needed.
What changed
cargo update -p randinbenchmarks/gen-datasets/→rand0.9.2 → 0.9.4 (latest 0.9.x, ≥ the 0.9.3 floor). NoCargo.tomlchange — already pinned to"0.9".task gen-datasetsand md5-comparing:api_response.pb,analytics_event.pb,google_message1_proto3.pball unchanged.log_record.pbandmedia_frame.pbdiffer on every regen run regardless ofrandversion (theirmap<...>fields encode inHashMapiteration order), so they were not regenerated.gen-datasetstask description only listedlog_record.pbas process-nondeterministic, butmedia_frame.pb(added in benchmarks: add prost bytes-feature variant + MediaFrame for zero-copy comparison #61) has the same property via itsmap<string, bytes> attachmentsfield. Updated the doc to list both nondeterministic fixtures and all three reproducible ones.