Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update rust crate pyo3 to v0.22.4 [security] #22

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 15, 2024

This PR contains the following updates:

Package Type Update Change
pyo3 dependencies patch 0.22.0 -> 0.22.4

GitHub Vulnerability Alerts

CVE-2024-9979

The family of functions to read "borrowed" values from Python weak references were fundamentally unsound, because the weak reference does itself not have ownership of the value. At any point the last strong reference could be cleared and the borrowed value would become dangling.

In PyO3 0.22.4 these functions have all been deprecated and patched to leak a strong reference as a mitigation. PyO3 0.23 will remove these functions entirely.


Release Notes

pyo3/pyo3 (pyo3)

v0.22.4

Compare Source

Added
  • Add FFI definition PyWeakref_GetRef and compat::PyWeakref_GetRef. #​4528
Changed
  • Deprecate _borrowed methods on PyWeakRef and PyWeakrefProxy (just use the owning forms). #​4590
Fixed
  • Revert removal of private FFI function _PyLong_NumBits on Python 3.13 and later. #​4450
  • Fix __traverse__ functions for base classes not being called by subclasses created with #[pyclass(extends = ...)]. #​4563
  • Fix regression in 0.22.3 failing compiles under #![forbid(unsafe_code)]. #​4574
  • Workaround possible use-after-free in _borrowed methods on PyWeakRef and PyWeakrefProxy by leaking their contents. #​4590
  • Fix crash calling PyType_GetSlot on static types before Python 3.10. #​4599

v0.22.3

Compare Source

Added
  • Add pyo3::ffi::compat namespace with compatibility shims for C API functions added in recent versions of Python.
  • Add FFI definition PyDict_GetItemRef on Python 3.13 and newer, and compat::PyDict_GetItemRef for all versions. #​4355
  • Add FFI definition PyList_GetItemRef on Python 3.13 and newer, and pyo3_ffi::compat::PyList_GetItemRef for all versions. #​4410
  • Add FFI definitions compat::Py_NewRef and compat::Py_XNewRef. #​4445
  • Add FFI definitions compat::PyObject_CallNoArgs and compat::PyObject_CallMethodNoArgs. #​4461
  • Add GilOnceCell<Py<T>>::clone_ref. #​4511
Changed
  • Improve error messages for #[pyfunction] defined inside #[pymethods]. #​4349
  • Improve performance of calls to Python by using the vectorcall calling convention where possible. #​4456
  • Mention the type name in the exception message when trying to instantiate a class with no constructor defined. #​4481
Removed
  • Remove private FFI definition _Py_PackageContext. #​4420
Fixed
  • Fix compile failure in declarative #[pymodule] under presence of #![no_implicit_prelude]. #​4328
  • Fix use of borrowed reference in PyDict::get_item (unsafe in free-threaded Python). #​4355
  • Fix #[pyclass(eq)] macro hygiene issues for structs and enums. #​4359
  • Fix hygiene/span issues of '#[pyfunction] and #[pymethods] generated code which affected expansion in macro_rules context. #​4382
  • Fix unsafe_code lint error in #[pyclass] generated code. #​4396
  • Fix async functions returning a tuple only returning the first element to Python. #​4407
  • Fix use of borrowed reference in PyList::get_item (unsafe in free-threaded Python). #​4410
  • Correct FFI definition PyArg_ParseTupleAndKeywords to take *const *const c_char instead of *mut *mut c_char on Python 3.13 and up. #​4420
  • Fix a soundness bug with PyClassInitializer: panic if adding subclass to existing instance via PyClassInitializer::from(Py<BaseClass>).add_subclass(SubClass). #​4454
  • Fix illegal reference counting op inside implementation of __traverse__ handlers. #​4479

v0.22.2

Compare Source

Packaging
  • Require opt-in to freethreaded Python using the UNSAFE_PYO3_BUILD_FREE_THREADED=1 environment variable (it is not yet supported by PyO3). #​4327
Changed
  • Use FFI function calls for reference counting on all abi3 versions. #​4324
  • #[pymodule(...)] now directly accepts all relevant #[pyo3(...)] options. #​4330
Fixed
  • Fix compile failure in declarative #[pymodule] under presence of #![no_implicit_prelude]. #​4328
  • Fix compile failure due to c-string literals on Rust < 1.79. #​4353

v0.22.1

Compare Source

Added
  • Add #[pyo3(submodule)] option for declarative #[pymodule]s. #​4301
  • Implement PartialEq<bool> for Bound<'py, PyBool>. #​4305
Fixed
  • Return NotImplemented instead of raising TypeError from generated equality method when comparing different types. #​4287
  • Handle full-path #[pyo3::prelude::pymodule] and similar for #[pyclass] and #[pyfunction] in declarative modules.#​4288
  • Fix 128-bit int regression on big-endian platforms with Python <3.13. #​4291
  • Stop generating code that will never be covered with declarative modules. #​4297
  • Fix invalid deprecation warning for trailing optional on #[setter] function. #​4304

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants