8000 Update Rust crate pyo3 to 0.24.1 [SECURITY] by renovate[bot] · Pull Request #135 · googlefonts/shaperglot · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Update Rust crate pyo3 to 0.24.1 [SECURITY] #135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update Rust crate pyo3 to 0.24.1 [SECURITY] #135

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor
@renovate renovate bot commented Apr 2, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
pyo3 dependencies minor 0.23 -> 0.24.1

GitHub Vulnerability Alerts

GHSA-pph8-gcv7-4qj5

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.

Release Notes

pyo3/pyo3 (pyo3)

v0.24.1

Compare Source

Added
  • Add abi3-py313 feature. #​4969
  • Add PyAnyMethods::getattr_opt. #​4978
  • Add PyInt::new constructor for all supported number types (i32, u32, i64, u64, isize, usize). #​4984
  • Add pyo3::sync::with_critical_section2. #​4992
  • Implement PyCallArgs for Borrowed<'_, 'py, PyTuple>, &Bound<'py, PyTuple>, and &Py<PyTuple>. #​5013
Fixed
  • Fix is_type_of for native types not using same specialized check as is_type_of_bound. #​4981
  • Fix Probe class naming issue with #[pymethods]. #​4988
  • Fix compile failure with required #[pyfunction] arguments taking Option<&str> and Option<&T> (for #[pyclass] types). #​5002
  • Fix PyString::from_object causing of bounds reads whith encoding and errors parameters which are not nul-terminated. #​5008
  • Fix compile error when additional options follow after crate for #[pyfunction]. #​5015

v0.24.0

Compare Source

Packaging
  • Add supported CPython/PyPy versions to cargo package metadata. #​4756
  • Bump target-lexicon dependency to 0.13. #​4822
  • Add optional jiff dependency to add conversions for jiff datetime types. #​4823
  • Add optional uuid dependency to add conversions for uuid::Uuid. #​4864
  • Bump minimum supported inventory version to 0.3.5. #​4954
Added
  • Add PyIterator::send method to allow sending values into a python generator. #​4746
  • Add PyCallArgs trait for passing arguments into the Python calling protocol. This enabled using a faster calling convention for certain types, improving performance. #​4768
  • Add #[pyo3(default = ...'] option for #[derive(FromPyObject)] to set a default value for extracted fields of named structs. #​4829
  • Add #[pyo3(into_py_with = ...)] option for #[derive(IntoPyObject, IntoPyObjectRef)]. #​4850
  • Add FFI definitions PyThreadState_GetFrame and PyFrame_GetBack. #​4866
  • Optimize last for BoundListIterator, BoundTupleIterator and BorrowedTupleIterator. #​4878
  • Optimize Iterator::count() for PyDict, PyList, PyTuple & PySet. #​4878
  • Optimize nth, nth_back, advance_by and advance_back_by for BoundTupleIterator #​4897
  • Add support for types.GenericAlias as pyo3::types::PyGenericAlias. #​4917
  • Add MutextExt trait to help avoid deadlocks with the GIL while locking a std::sync::Mutex. #​4934
  • Add #[pyo3(rename_all = "...")] option for #[derive(FromPyObject)]. #​4941
Changed
  • Optimize nth, nth_back, advance_by and advance_back_by for BoundListIterator. #​4810
  • Use DerefToPyAny in blanket implementations of From<Py<T>> and From<Bound<'py, T>> for PyObject. #​4593
  • Map io::ErrorKind::IsADirectory/NotADirectory to the corresponding Python exception on Rust 1.83+. #​4747
  • PyAnyMethods::call and friends now require PyCallArgs for their positional arguments. #​4768
  • Expose FFI definitions for PyObject_Vectorcall(Method) on the stable abi on 3.12+. #​4853
  • #[pyo3(from_py_with = ...)] now take a path rather than a string literal #​4860
  • Format Python traceback in impl Debug for PyErr. #​4900
  • Convert PathBuf & Path into Python pathlib.Path instead of PyString. #​4925
  • Relax parsing of exotic Python versions. #​4949
  • PyO3 threads now hang instead of pthread_exit trying to acquire the GIL when the interpreter is shutting down. This mimics the Python 3.14 behavior and avoids undefined behavior and crashes. #​4874
Removed
  • Remove implementations of Deref for PyAny and other "native" types. #​4593
  • Remove implicit default of trailing optional arguments (see #​2935) #​4729
  • Remove the deprecated implicit eq fallback for simple enums. #​4730
Fixed
  • Correct FFI definition of PyIter_Send to return a PySendResult. #​4746
  • Fix a thread safety issue in the runtime borrow checker used by mutable pyclass instances on the free-threaded build. #​4948

v0.23.5

Compare Source

Packaging
Fixed
  • Fix thread-unsafe implementation of freelist pyclasses on the free-threaded build. #​4902
  • Re-enable a workaround for situations where CPython incorrectly does not add __builtins__ to __globals__ in code executed by Python::py_run (was removed in PyO3 0.23.0). #​4921

v0.23.4

Compare Source

Added
  • Add PyList::locked_for_each, which uses a critical section to lock the list on the free-threaded build. #​4789
  • Add pyo3_build_config::add_python_framework_link_args build script API to set rpath when using macOS system Python. #​4833
Changed
  • Use datetime.fold to distinguish ambiguous datetimes when converting to and from chrono::DateTime<Tz> (rather than erroring). #​4791
  • Optimize PyList iteration on the free-threaded build. #​4789
Fixed
  • Fix unnecessary internal py.allow_threads GIL-switch when attempting to access contents of a PyErr which originated from Python (could lead to unintended deadlocks). #​4766
  • Fix thread-unsafe access of dict internals in BoundDictIterator on the free-threaded build. #​4788
  • Fix unnecessary critical sections in BoundDictIterator on the free-threaded build. #​4788
  • Fix time-of-check to time-of-use issues with list iteration on the free-threaded build. #​4789
  • Fix chrono::DateTime<Tz> to-Python conversion when Tz is chrono_tz::Tz. #​4790
  • Fix #[pyclass] not being able to be named Probe. #​4794
  • Fix not treating cross-compilation from x64 to aarch64 on Windows as a cross-compile. #​4800
  • Fix missing struct fields on GraalPy when subclassing builtin classes. #​4802
  • Fix generating import lib for PyPy when abi3 feature is enabled. #​4806
  • Fix generating import lib for python3.13t when abi3 feature is enabled. #​4808
  • Fix compile failure for raw identifiers like r#box in derive(FromPyObject). #​4814
  • Fix compile failure for #[pyclass] enum variants with more than 12 fields. #​4832

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from 3f2bd82 to ab420a1 Compare April 24, 2025 07:47
@renovate renovate bot changed the title Update Rust crate pyo3 to 0.24.1 [SECURITY] Update Rust crate pyo3 to 0.24.2 [SECURITY] Apr 24, 2025
@renovate renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from ab420a1 to e9843cb Compare April 24, 2025 14:32
@renovate renovate bot changed the title Update Rust crate pyo3 to 0.24.2 [SECURITY] Update Rust crate pyo3 to 0.24.1 [SECURITY] Apr 24, 2025
@renovate renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from e9843cb to bde2d8d Compare April 30, 2025 13:44
@renovate renovate bot changed the title Update Rust crate pyo3 to 0.24.1 [SECURITY] Update Rust crate pyo3 to 0.24.2 [SECURITY] Apr 30, 2025
@renovate renovate bot changed the title Update Rust crate pyo3 to 0.24.2 [SECURITY] Update Rust crate pyo3 to 0.24.1 [SECURITY] Apr 30, 2025
@renovate renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from bde2d8d to 8c4cadc Compare April 30, 2025 19:58
@renovate renovate bot changed the title Update Rust crate pyo3 to 0.24.1 [SECURITY] Update Rust crate pyo3 to 0.24.2 [SECURITY] May 7, 2025
@renovate renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from 8c4cadc to 6777fe5 Compare May 7, 2025 10:58
@renovate renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from 6777fe5 to 56ba52f Compare May 7, 2025 16:08
@renovate renovate bot changed the title Update Rust crate pyo3 to 0.24.2 [SECURITY] Update Rust crate pyo3 to 0.24.1 [SECURITY] May 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants
0