Skip to content

Update Rust crate diesel to v2.3.10 [SECURITY]#480

Open
oxide-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/crate-diesel-vulnerability
Open

Update Rust crate diesel to v2.3.10 [SECURITY]#480
oxide-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/crate-diesel-vulnerability

Conversation

@oxide-renovate

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
diesel (source) workspace.dependencies patch 2.3.92.3.10

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Diesel has possible use after free when deserializing a SQLite database via SqliteConnection::deserialize_readonly_database

GHSA-ggxf-9f6j-w742

More information

Details

Diesel allows loading a SQLite database from a byte buffer, represented as &[u8], at runtime via the SqliteConnection::deserialize_readonly_database function. In previous versions of Diesel, this buffer was passed directly to libsqlite3. Since libsqlite3 requires the buffer to remain alive for as long as the database connection is open and Diesel did not ensure this as part of its safe API, callers of SqliteConnection::deserialize_readonly_database could drop the buffer prematurely. This prematurely drop caused libsqlite3 to operate on freed memory.

This vulnerability affects users of SqliteConnection::deserialize_readonly_database who drop the buffer passed to the function before they drop the database connection.

Mitigation

The preferred mitigation to the outlined problem is to update to Diesel version 2.3.10 or newer, which includes a fix for the problem. Alternatively users need to take to keep the buffer alive until the connection is dropped.

Resolution

Diesel now stores a copy of the buffer inside of the SqliteConnection object itself to keep it alive as long as the underlying libsqlite3 connection exists.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

diesel-rs/diesel (diesel)

v2.3.10

Compare Source

  • Fixed a wrong value of a internal MYSQL flag
  • Fixed several possible panics in the PostgreSQL deserialization code for malformed packages in the
  • Fixed an issue that caused unexpected results while calling custom aggregated SQL functions twice in the SQLite backend
  • Fixed a potential use after free bug in the SQLite backend while deserializing a database from a byte buffer
  • Fixed potential invalid schema generation if column or table names "inject" rust code
  • Fixed potential SQL injections during schema introspection via diesel print-schema
  • Fixed a regression that resulted in rejecting valid combinations of ORDER BY and GROUP BY clauses

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • "after 8pm,before 6am"

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@oxide-renovate oxide-renovate Bot added the dependencies Pull requests that update a dependency file label Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants