[Security] Bump libflate from 0.1.18 to 0.1.25

[dependabot-preview[bot]]

Bumps libflate from 0.1.18 to 0.1.25. This update includes security fixes.

Vulnerabilities fixed

*Sourced from [The RustSec Advisory Database](https://github.com/RustSec/advisory-db/blob/master/crates/libflate/RUSTSEC-0000-0000.toml).* > **MultiDecoder::read() drops uninitialized memory of arbitrary type on panic in client code** > Affected versions of libflate have set a field of an internal structure with a generic type to an uninitialized value in `MultiDecoder::read()` and reverted it to the original value after the function completed. However, execution of `MultiDecoder::read()` could be interrupted by a panic in caller-supplied `Read` implementation. This would cause `drop()` to be called on uninitialized memory of a generic type implementing `Read`. > > This is equivalent to a use-after-free vulnerability and could allow an attacker to gain arbitrary code execution. > > The flaw was corrected by aborting immediately instead of unwinding the stack in case of panic within `MultiDecoder::read()`. The issue was discovered and fixed by Shnatsel. > > Patched versions: >= 0.1.25 > Unaffected versions: < 0.1.14

Commits

- [`2efa0ab`](https://github.com/sile/libflate/commit/2efa0ab0d59698128b75ba2e6ec19195b403c83e) Bump version to v0.1.25 - [`a16c15a`](https://github.com/sile/libflate/commit/a16c15a39495646d40a5de278c1b9530e8c4ec3b) Apply rustfmt-1.2.0 - [`2c8adee`](https://github.com/sile/libflate/commit/2c8adee81fc6bb7b1faab97af1d2f5a532f4d249) Merge pull request [#38](https://github-redirect.dependabot.com/sile/libflate/issues/38) from Shnatsel/rle-decode-fast - [`912fabd`](https://github.com/sile/libflate/commit/912fabdc8a41d4878e30c43044cc79cbb71b0201) Drop unused import - [`62b520a`](https://github.com/sile/libflate/commit/62b520aaf9cbaf8012670ddec03e19b81e9fe2e3) Drop bespoke unsafe function that was used for RLE decoding, it's no longer n... - [`0a802e4`](https://github.com/sile/libflate/commit/0a802e46b557602358b90ffb61553da4410af6f0) Convert non-blocking decoder to fast and safe RLE decode implementation - [`db26a84`](https://github.com/sile/libflate/commit/db26a84837c0d07dc4dc01a61be36b2ea0fa8649) Use released version of rle-decode-fast crate - [`bf3c6c3`](https://github.com/sile/libflate/commit/bf3c6c3949518b7b6172c27231ddfd5e9bdd8c86) Apply rustfmt-1.2.0 - [`8598b81`](https://github.com/sile/libflate/commit/8598b8124705ecb539ceb91e99f2965278cdaf93) Update to new crate name - [`2ab6888`](https://github.com/sile/libflate/commit/2ab6888a4a8e94e6a38196eddcdb74f06233fe05) Merge remote-tracking branch 'origin/master' into rle-decode-fast - Additional commits viewable in [compare view](https://github.com/sile/libflate/compare/0.1.18...0.1.25)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it). To ignore the version in this PR you can just close it - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.

[dependabot-preview[bot]]

Superseded by #74.