Update Rust crate anyhow to v1.0.103 [SECURITY] #7

Open
renovate wants to merge 1 commit from renovate/crate-anyhow-vulnerability into main
Collaborator

This PR contains the following updates:

Package Type Update Change
anyhow dependencies patch 1.0.1021.0.103

Unsoundness in Error::downcast_mut()

RUSTSEC-2026-0190

More information

Details

Affected versions of this crate violate borrow rules, resulting in undefined behavior, when the user adds context to an error via Error::context and then later calls Error::downcast_mut on the returned Error.

The flaw was corrected in commit 6e8c000 by revising how the mutable reference is constructed, avoiding inclusion of a shared reference in the resulting borrow chain.

Example
use anyhow::Error;
use std::fmt;

#[derive(Debug)]
struct ErrorContext(&'static str);

impl fmt::Display for ErrorContext {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        fmt::Display::fmt(&self.0, f)
    }
}

fn main() {
    let mut error = Error::msg("inner error").context(ErrorContext("old context"));
    let context: &mut ErrorContext = error.downcast_mut().unwrap();
    context.0 = "new context";
    println!("{:?}", error);
}
Miri output
error: Undefined Behavior: trying to retag from <1538> for Unique permission at alloc602[0x38], but that tag only grants SharedReadOnly permission for this location
   --> src/ptr.rs:170:18
    |
170 |         unsafe { &mut *self.ptr.as_ptr() }
    |                  ^^^^^^^^^^^^^^^^^^^^^^^ this error occurs as part of retag at alloc602[0x38..0x48]
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
help: <1538> was created by a SharedReadOnly retag at offsets [0x38..0x48]
   --> src/ptr.rs:89:18
    |
 89 |             ptr: NonNull::from(ptr),
    |                  ^^^^^^^^^^^^^^^^^^
    = note: stack backtrace:
            0: anyhow::ptr::Mut::<'_, ErrorContext>::deref_mut
                at src/ptr.rs:170:18: 170:41
            1: anyhow::error::<impl anyhow::Error>::downcast_mut::<ErrorContext>
                at src/error.rs:560:18: 560:46
            2: main
                at examples/downcast_mut.rs:15:38: 15:58

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).

Important

Release Notes retrieval for this PR were skipped because no github.com credentials were available.
If you are self-hosted, please see this instruction.


Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [anyhow](https://github.com/dtolnay/anyhow) | dependencies | patch | `1.0.102` → `1.0.103` | --- ### Unsoundness in `Error::downcast_mut()` [RUSTSEC-2026-0190](https://rustsec.org/advisories/RUSTSEC-2026-0190.html) <details> <summary>More information</summary> #### Details Affected versions of this crate violate borrow rules, resulting in undefined behavior, when the user adds context to an error via `Error::context` and then later calls `Error::downcast_mut` on the returned `Error`. The flaw was corrected in commit `6e8c000` by revising how the mutable reference is constructed, avoiding inclusion of a shared reference in the resulting borrow chain. ##### Example ```rust use anyhow::Error; use std::fmt; #[derive(Debug)] struct ErrorContext(&'static str); impl fmt::Display for ErrorContext { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { fmt::Display::fmt(&self.0, f) } } fn main() { let mut error = Error::msg("inner error").context(ErrorContext("old context")); let context: &mut ErrorContext = error.downcast_mut().unwrap(); context.0 = "new context"; println!("{:?}", error); } ``` ##### Miri output ``` error: Undefined Behavior: trying to retag from <1538> for Unique permission at alloc602[0x38], but that tag only grants SharedReadOnly permission for this location --> src/ptr.rs:170:18 | 170 | unsafe { &mut *self.ptr.as_ptr() } | ^^^^^^^^^^^^^^^^^^^^^^^ this error occurs as part of retag at alloc602[0x38..0x48] | = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information help: <1538> was created by a SharedReadOnly retag at offsets [0x38..0x48] --> src/ptr.rs:89:18 | 89 | ptr: NonNull::from(ptr), | ^^^^^^^^^^^^^^^^^^ = note: stack backtrace: 0: anyhow::ptr::Mut::<'_, ErrorContext>::deref_mut at src/ptr.rs:170:18: 170:41 1: anyhow::error::<impl anyhow::Error>::downcast_mut::<ErrorContext> at src/error.rs:560:18: 560:46 2: main at examples/downcast_mut.rs:15:38: 15:58 ``` #### Severity Unknown #### References - [https://crates.io/crates/anyhow](https://crates.io/crates/anyhow) - [https://rustsec.org/advisories/RUSTSEC-2026-0190.html](https://rustsec.org/advisories/RUSTSEC-2026-0190.html) - [https://github.com/dtolnay/anyhow/issues/451](https://github.com/dtolnay/anyhow/issues/451) This data is provided by [OSV](https://osv.dev/vulnerability/RUSTSEC-2026-0190) and the [Rust Advisory Database](https://github.com/RustSec/advisory-db) ([CC0 1.0](https://github.com/rustsec/advisory-db/blob/main/LICENSE.txt)). </details> > :exclamation: **Important** > > Release Notes retrieval for this PR were skipped because no github.com credentials were available. > If you are self-hosted, please see [this instruction](https://github.com/renovatebot/renovate/blob/master/docs/usage/examples/self-hosting.md#githubcom-token-for-release-notes). --- ### Configuration 📅 **Schedule**: (in timezone UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNTIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjI1Mi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJzZWN1cml0eSJdfQ==-->
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/crate-anyhow-vulnerability:renovate/crate-anyhow-vulnerability
git switch renovate/crate-anyhow-vulnerability

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main
git merge --no-ff renovate/crate-anyhow-vulnerability
git switch renovate/crate-anyhow-vulnerability
git rebase main
git switch main
git merge --ff-only renovate/crate-anyhow-vulnerability
git switch renovate/crate-anyhow-vulnerability
git rebase main
git switch main
git merge --no-ff renovate/crate-anyhow-vulnerability
git switch main
git merge --squash renovate/crate-anyhow-vulnerability
git switch main
git merge --ff-only renovate/crate-anyhow-vulnerability
git switch main
git merge renovate/crate-anyhow-vulnerability
git push origin main
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Headscracher/dosh!7
No description provided.