chore(deps): [security] bump spin from 0.5.0 to 0.5.2 #72

dependabot-preview · 2019-08-28T17:28:18Z

Bumps spin from 0.5.0 to 0.5.2. This update includes a security fix.

Vulnerabilities fixed

Sourced from The RustSec Advisory Database.

Wrong memory orderings in RwLock potentially violates mutual exclusion
Wrong memory orderings inside the RwLock implementation allow for two writers to acquire the lock at the same time. The drop implementation used Ordering::Relaxed, which allows the compiler or CPU to reorder a mutable access on the locked data after the lock has been yielded.

Only users of the RwLock implementation are affected. Users of Once (including users of lazy_static with the spin_no_std feature enabled) are NOT affected.

On strongly ordered CPU architectures like x86, the only real way that this would lead to a memory corruption is if the compiler reorders an access after the lock is yielded, which is possible but in practice unlikely. It is a more serious issue on weakly ordered architectures such as ARM which, except in the presence of certain instructions, allow the hardware to decide which accesses are seen at what times. Therefore on an ARM system it is likely that using the wrong memory ordering would result in a memory corruption, even if the compiler itself doesn't reorder the memory accesses in a buggy way.

The flaw was corrected by https://github-redirect.dependabot.com/mvdnes/spin-rs/pull/66.

Patched versions: >= 0.5.2
Unaffected versions: none

Commits

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
@dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

Update frequency (including time of day and day of week)
Automerge options (never/patch/minor, and dev/runtime dependencies)
Pull request limits (per update run and/or open at any time)
Out-of-range updates (receive only lockfile updates, if desired)
Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

Bumps [spin](https://github.com/mvdnes/spin-rs) from 0.5.0 to 0.5.2. **This update includes a security fix.** - [Release notes](https://github.com/mvdnes/spin-rs/releases) - [Commits](https://github.com/mvdnes/spin-rs/commits) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Hywan · 2019-08-28T19:27:03Z

bors r+

72: chore(deps): [security] bump spin from 0.5.0 to 0.5.2 r=Hywan a=dependabot-preview[bot] Bumps [spin](https://github.com/mvdnes/spin-rs) from 0.5.0 to 0.5.2. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> *Sourced from [The RustSec Advisory Database](https://github.com/RustSec/advisory-db/blob/master/crates/spin/RUSTSEC-0000-0000.toml).* > **Wrong memory orderings in RwLock potentially violates mutual exclusion** > Wrong memory orderings inside the RwLock implementation allow for two writers to acquire the lock at the same time. The drop implementation used Ordering::Relaxed, which allows the compiler or CPU to reorder a mutable access on the locked data after the lock has been yielded. > > Only users of the RwLock implementation are affected. Users of Once (including users of lazy_static with the `spin_no_std` feature enabled) are NOT affected. > > On strongly ordered CPU architectures like x86, the only real way that this would lead to a memory corruption is if the compiler reorders an access after the lock is yielded, which is possible but in practice unlikely. It is a more serious issue on weakly ordered architectures such as ARM which, except in the presence of certain instructions, allow the hardware to decide which accesses are seen at what times. Therefore on an ARM system it is likely that using the wrong memory ordering would result in a memory corruption, even if the compiler itself doesn't reorder the memory accesses in a buggy way. > > The flaw was corrected by https://github-redirect.dependabot.com/mvdnes/spin-rs/pull/66. > > Patched versions: >= 0.5.2 > Unaffected versions: none </details> <details> <summary>Commits</summary> - See full diff in [compare view](https://github.com/mvdnes/spin-rs/commits) </details> <br /> [![Dependabot compatibility score](https://api.dependabot.com/badges/compatibility_score?dependency-name=spin&package-manager=cargo&previous-version=0.5.0&new-version=0.5.2)](https://dependabot.com/compatibility-score.html?dependency-name=spin&package-manager=cargo&previous-version=0.5.0&new-version=0.5.2) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot. </details> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

bors · 2019-08-28T19:34:47Z

Build succeeded

ci/circleci: build-and-test

dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Aug 28, 2019

Hywan self-assigned this Aug 28, 2019

bors bot merged commit 406268c into master Aug 28, 2019

bors bot deleted the dependabot/cargo/spin-0.5.2 branch August 28, 2019 19:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): [security] bump spin from 0.5.0 to 0.5.2 #72

chore(deps): [security] bump spin from 0.5.0 to 0.5.2 #72

dependabot-preview bot commented Aug 28, 2019

Hywan commented Aug 28, 2019

bors bot commented Aug 28, 2019

chore(deps): [security] bump spin from 0.5.0 to 0.5.2 #72

chore(deps): [security] bump spin from 0.5.0 to 0.5.2 #72

Conversation

dependabot-preview bot commented Aug 28, 2019

Hywan commented Aug 28, 2019

bors bot commented Aug 28, 2019

Build succeeded