Bumps image from 0.15.0 to 0.21.3. This update includes a security fix.
Vulnerabilities fixed
*Sourced from [The RustSec Advisory Database](https://github.com/RustSec/advisory-db/blob/master/crates/image/RUSTSEC-0000-0000.toml).*
> **Flaw in interface may drop uninitialized instance of arbitrary types**
> Affected versions of this crate would call `Vec::set_len` on an uninitialized
> vector with user-provided type parameter, in an interface of the HDR image
> format decoder. They would then also call other code that could panic before
> initializing all instances.
>
> This could run Drop implementations on uninitialized types, equivalent to
> use-after-free, and allow an attacker arbitrary code execution.
>
> Two different fixes were applied. It is possible to conserve the interface by
> ensuring proper initialization before calling `Vec::set_len`. Drop is no longer
> called in case of panic, though.
>
> Starting from version `0.22`, a breaking change to the interface requires
> callers to pre-allocate the output buffer and pass a mutable slice instead,
> avoiding all unsafe code.
>
> Patched versions: >= 0.21.3
> Unaffected versions: < 0.10.2
Changelog
*Sourced from [image's changelog](https://github.com/image-rs/image/blob/v0.21.3/CHANGES.md).*
> ### Version 0.21.3
>
> - Fixed an issue in `HdrDecoder::read_image_transform` that could drop
> uninitialized instances of arbitrary types on panic or expose uninitialized
> memory. The fix entails not dropping any value on error or panic, the method
> should only be used to read to types without `Drop` implementations.
>
> ### Version 0.21.2
>
> - Fixed a variety of crashes and opaque errors in webp
> - Updated the png limits to be less restrictive
> - Reworked even more `unsafe` operations into safe alternatives
> - Derived Debug on FilterType and Deref on Pixel
> - Removed a restriction on DXT to always require power of two dimensions
> - Change the encoding of RGBA in bmp using bitfields
> - Corrected various urls
>
> ### Version 0.21.1
>
> - A fairly important bugfix backport
> - Fixed a potentially memory safety issue in the hdr and tiff decoders, see [#885](https://github-redirect.dependabot.com/image-rs/image/issues/885)
> - See [the full advisory](https://github.com/image-rs/image/blob/v0.21.3/docs/2019-04-23-memory-unsafety.md) for an analysis
> - Fixes `ImageBuffer` index calculation for very, very large images
> - Fix some crashes while parsing specific incomplete pnm images
> - Added comprehensive fuzzing for the pam image types
>
> ### Version 0.21
>
> - Updated README to use `GenericImageView`
> - Removed outdated version number from CHANGES
> - Compiles now with wasm-unknown-emscripten target
> - Restructured `ImageDecoder` trait
> - Updated README with a more colorful example for the Julia fractal
> - Use Rust 1.24.1 as minimum supported version
> - Support for loading GIF frames one at a time with `animation::Frames`
> - The TGA decoder now recognizes 32 bpp as RGBA(8)
> - Fixed `to_bgra` document comment
> - Added release test script
> - Removed unsafe code blocks several places
> - Fixed overlay overflow bug issues with documented proofs
>
> ### Version 0.20
>
> - Clippy lint pass
> - Updated num-rational dependency
> - Added BGRA and BGR color types
> - Improved performance of image resizing
> - Improved PBM decoding
> - PNM P4 decoding now returns bits instead of bytes
> - Fixed move of overlapping buffers in BMP decoder
> ... (truncated)
Commits
- See full diff in [compare view](https://github.com/image-rs/image/commits/v0.21.3)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
palfrey
commented
4 years ago
Bumps image from 0.15.0 to 0.21.3. This update includes a security fix.
Vulnerabilities fixed
*Sourced from [The RustSec Advisory Database](https://github.com/RustSec/advisory-db/blob/master/crates/image/RUSTSEC-0000-0000.toml).* > **Flaw in interface may drop uninitialized instance of arbitrary types** > Affected versions of this crate would call `Vec::set_len` on an uninitialized > vector with user-provided type parameter, in an interface of the HDR image > format decoder. They would then also call other code that could panic before > initializing all instances. > > This could run Drop implementations on uninitialized types, equivalent to > use-after-free, and allow an attacker arbitrary code execution. > > Two different fixes were applied. It is possible to conserve the interface by > ensuring proper initialization before calling `Vec::set_len`. Drop is no longer > called in case of panic, though. > > Starting from version `0.22`, a breaking change to the interface requires > callers to pre-allocate the output buffer and pass a mutable slice instead, > avoiding all unsafe code. > > Patched versions: >= 0.21.3 > Unaffected versions: < 0.10.2Changelog
*Sourced from [image's changelog](https://github.com/image-rs/image/blob/v0.21.3/CHANGES.md).* > ### Version 0.21.3 > > - Fixed an issue in `HdrDecoder::read_image_transform` that could drop > uninitialized instances of arbitrary types on panic or expose uninitialized > memory. The fix entails not dropping any value on error or panic, the method > should only be used to read to types without `Drop` implementations. > > ### Version 0.21.2 > > - Fixed a variety of crashes and opaque errors in webp > - Updated the png limits to be less restrictive > - Reworked even more `unsafe` operations into safe alternatives > - Derived Debug on FilterType and Deref on Pixel > - Removed a restriction on DXT to always require power of two dimensions > - Change the encoding of RGBA in bmp using bitfields > - Corrected various urls > > ### Version 0.21.1 > > - A fairly important bugfix backport > - Fixed a potentially memory safety issue in the hdr and tiff decoders, see [#885](https://github-redirect.dependabot.com/image-rs/image/issues/885) > - See [the full advisory](https://github.com/image-rs/image/blob/v0.21.3/docs/2019-04-23-memory-unsafety.md) for an analysis > - Fixes `ImageBuffer` index calculation for very, very large images > - Fix some crashes while parsing specific incomplete pnm images > - Added comprehensive fuzzing for the pam image types > > ### Version 0.21 > > - Updated README to use `GenericImageView` > - Removed outdated version number from CHANGES > - Compiles now with wasm-unknown-emscripten target > - Restructured `ImageDecoder` trait > - Updated README with a more colorful example for the Julia fractal > - Use Rust 1.24.1 as minimum supported version > - Support for loading GIF frames one at a time with `animation::Frames` > - The TGA decoder now recognizes 32 bpp as RGBA(8) > - Fixed `to_bgra` document comment > - Added release test script > - Removed unsafe code blocks several places > - Fixed overlay overflow bug issues with documented proofs > > ### Version 0.20 > > - Clippy lint pass > - Updated num-rational dependency > - Added BGRA and BGR color types > - Improved performance of image resizing > - Improved PBM decoding > - PNM P4 decoding now returns bits instead of bytes > - Fixed move of overlapping buffers in BMP decoder > ... (truncated)Commits
- See full diff in [compare view](https://github.com/image-rs/image/commits/v0.21.3)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.