Skip to content

Update Rust crate pyo3 to 0.24 [SECURITY] #939

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update Rust crate pyo3 to 0.24 [SECURITY] #939

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 2, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
pyo3 workspace.dependencies minor 0.23 -> 0.24

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-pph8-gcv7-4qj5

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.

Release Notes

pyo3/pyo3 (pyo3)

v0.24.1

Compare Source

Added
  • Add abi3-py313 feature. #​4969
  • Add PyAnyMethods::getattr_opt. #​4978
  • Add PyInt::new constructor for all supported number types (i32, u32, i64, u64, isize, usize). #​4984
  • Add pyo3::sync::with_critical_section2. #​4992
  • Implement PyCallArgs for Borrowed<'_, 'py, PyTuple>, &Bound<'py, PyTuple>, and &Py<PyTuple>. #​5013
Fixed
  • Fix is_type_of for native types not using same specialized check as is_type_of_bound. #​4981
  • Fix Probe class naming issue with #[pymethods]. #​4988
  • Fix compile failure with required #[pyfunction] arguments taking Option<&str> and Option<&T> (for #[pyclass] types). #​5002
  • Fix PyString::from_object causing of bounds reads whith encoding and errors parameters which are not nul-terminated. #​5008
  • Fix compile error when additional options follow after crate for #[pyfunction]. #​5015

v0.24.0

Compare Source

Packaging
  • Add supported CPython/PyPy versions to cargo package metadata. #​4756
  • Bump target-lexicon dependency to 0.13. #​4822
  • Add optional jiff dependency to add conversions for jiff datetime types. #​4823
  • Add optional uuid dependency to add conversions for uuid::Uuid. #​4864
  • Bump minimum supported inventory version to 0.3.5. #​4954
Added
  • Add PyIterator::send method to allow sending values into a python generator. #​4746
  • Add PyCallArgs trait for passing arguments into the Python calling protocol. This enabled using a faster calling convention for certain types, improving performance. #​4768
  • Add #[pyo3(default = ...'] option for #[derive(FromPyObject)] to set a default value for extracted fields of named structs. #​4829
  • Add #[pyo3(into_py_with = ...)] option for #[derive(IntoPyObject, IntoPyObjectRef)]. #​4850
  • Add FFI definitions PyThreadState_GetFrame and PyFrame_GetBack. #​4866
  • Optimize last for BoundListIterator, BoundTupleIterator and BorrowedTupleIterator. #​4878
  • Optimize Iterator::count() for PyDict, PyList, PyTuple & PySet. #​4878
  • Optimize nth, nth_back, advance_by and advance_back_by for BoundTupleIterator #​4897
  • Add support for types.GenericAlias as pyo3::types::PyGenericAlias. #​4917
  • Add MutextExt trait to help avoid deadlocks with the GIL while locking a std::sync::Mutex. #​4934
  • Add #[pyo3(rename_all = "...")] option for #[derive(FromPyObject)]. #​4941
Changed
  • Optimize nth, nth_back, advance_by and advance_back_by for BoundListIterator. #​4810
  • Use DerefToPyAny in blanket implementations of From<Py<T>> and From<Bound<'py, T>> for PyObject. #​4593
  • Map io::ErrorKind::IsADirectory/NotADirectory to the corresponding Python exception on Rust 1.83+. #​4747
  • PyAnyMethods::call and friends now require PyCallArgs for their positional arguments. #​4768
  • Expose FFI definitions for PyObject_Vectorcall(Method) on the stable abi on 3.12+. #​4853
  • #[pyo3(from_py_with = ...)] now take a path rather than a string literal #​4860
  • Format Python traceback in impl Debug for PyErr. #​4900
  • Convert PathBuf & Path into Python pathlib.Path instead of PyString. #​4925
  • Relax parsing of exotic Python versions. #​4949
  • PyO3 threads now hang instead of pthread_exit trying to acquire the GIL when the interpreter is shutting down. This mimics the Python 3.14 behavior and avoids undefined behavior and crashes. #​4874
Removed
  • Remove implementations of Deref for PyAny and other "native" types. #​4593
  • Remove implicit default of trailing optional arguments (see #​2935) #​4729
  • Remove the deprecated implicit eq fallback for simple enums. #​4730
Fixed
  • Correct FFI definition of PyIter_Send to return a PySendResult. #​4746
  • Fix a thread safety issue in the runtime borrow checker used by mutable pyclass instances on the free-threaded build. #​4948

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate Renovate
Copy link
Contributor Author

renovate bot commented Apr 2, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock
Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --workspace
    Updating crates.io index
    Updating git repository `https://github.com/outfox-ai/outfox.git`
From https://github.com/outfox-ai/outfox
 * [new ref]         9c4bb156d60ea11d540cf66f38129de059693f59 -> refs/commit/9c4bb156d60ea11d540cf66f38129de059693f59
    Updating git repository `https://github.com/modelcontextprotocol/rust-sdk.git`
From https://github.com/modelcontextprotocol/rust-sdk
 * [new ref]         fbc7ab70cab26fd4f8897e5f88463cd442e7c59d -> refs/commit/fbc7ab70cab26fd4f8897e5f88463cd442e7c59d
    Updating git repository `https://github.com/EricLBuehler/mistral.rs.git`
From https://github.com/EricLBuehler/mistral.rs
 * [new ref]           8069f9072500398dae419d896356a557ad890cfa -> refs/commit/8069f9072500398dae419d896356a557ad890cfa
    Updating git repository `https://github.com/EricLBuehler/candle.git`
From https://github.com/EricLBuehler/candle
 * [new ref]           1f137cd4f99ee76797cc4a6969802d85e041dd54 -> refs/commit/1f137cd4f99ee76797cc4a6969802d85e041dd54
    Updating git submodule `https://github.com/NVIDIA/cutlass.git`
From https://github.com/NVIDIA/cutlass
 * [new ref]           7d49e6c7e2f8896c47f586706e67e1fb215529dc -> refs/commit/7d49e6c7e2f8896c47f586706e67e1fb215529dc
    Updating git submodule `https://github.com/NVIDIA/cutlass.git`
From https://github.com/NVIDIA/cutlass
 * [new ref]           4c42f73fdab5787e3bb57717f35a8cb1b3c0dc6d -> refs/commit/4c42f73fdab5787e3bb57717f35a8cb1b3c0dc6d
    Updating git submodule `https://github.com/NVIDIA/cutlass`
From https://github.com/NVIDIA/cutlass
 * [new ref]           afa1772203677c5118fcd82537a9c8fefbcc7008 -> refs/commit/afa1772203677c5118fcd82537a9c8fefbcc7008
    Updating git repository `https://github.com/EricLBuehler/llguidance`
From https://github.com/EricLBuehler/llguidance
 * [new ref]         8d7195774a209038ddfbb0d1a5348ed17b387386 -> refs/commit/8d7195774a209038ddfbb0d1a5348ed17b387386
    Updating git repository `https://github.com/guoqingbao/bindgen_cuda.git`
From https://github.com/guoqingbao/bindgen_cuda
 * [new ref]         fb7ed75f3901b146aa1ba460baaeed5b494f2e0d -> refs/commit/fb7ed75f3901b146aa1ba460baaeed5b494f2e0d
error: failed to select a version for `pyo3`.
    ... required by package `pyo3_special_method_derive v0.4.3`
    ... which satisfies dependency `pyo3_special_method_derive = "^0.4.3"` of package `dora-node-api-python v0.3.12 (/tmp/renovate/repos/github/dora-rs/dora/apis/python/node)`
versions that meet the requirements `^0.23` are: 0.23.5, 0.23.4, 0.23.3

package `pyo3` links to the native library `python`, but it conflicts with a previous package which links to `python` as well:
package `pyo3 v0.24.0`
    ... which satisfies dependency `pyo3 = "^0.24"` of package `dora-dav1d v0.3.12 (/tmp/renovate/repos/github/dora-rs/dora/node-hub/dora-dav1d)`
Only one package in the dependency graph may specify the same links value. This helps ensure that only one copy of a native library is linked in the final binary. Try to adjust your dependencies so that only one package uses the `links = "python"` value. For more information, see https://doc.rust-lang.org/cargo/reference/resolver.html#links.

failed to select a version for `pyo3` which could resolve this conflict

@renovate renovate bot changed the title Update Rust crate pyo3 to 0.24 [SECURITY] chore(deps): update rust crate pyo3 to 0.24 [security] Apr 22, 2025
@renovate renovate bot changed the title chore(deps): update rust crate pyo3 to 0.24 [security] Update Rust crate pyo3 to 0.24 [SECURITY] May 30, 2025
@renovate renovate bot changed the title Update Rust crate pyo3 to 0.24 [SECURITY] chore(deps): update rust crate pyo3 to 0.24 [security] Jun 2, 2025
@renovate renovate bot changed the title chore(deps): update rust crate pyo3 to 0.24 [security] Update Rust crate pyo3 to 0.24 [SECURITY] Jun 17, 2025
@renovate renovate bot changed the title Update Rust crate pyo3 to 0.24 [SECURITY] chore(deps): update rust crate pyo3 to 0.24 [security] Jul 3, 2025
@renovate renovate bot changed the title chore(deps): update rust crate pyo3 to 0.24 [security] Update Rust crate pyo3 to 0.24 [SECURITY] Jul 18, 2025
@renovate renovate bot changed the title Update Rust crate pyo3 to 0.24 [SECURITY] chore(deps): update rust crate pyo3 to 0.24 [security] Jul 22, 2025
@renovate renovate bot changed the title chore(deps): update rust crate pyo3 to 0.24 [security] Update Rust crate pyo3 to 0.24 [SECURITY] Jul 25, 2025
@renovate renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from 5307327 to 9171391 Compare August 10, 2025 10:48
@renovate renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from 9171391 to 6fd101a Compare August 27, 2025 08:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants