Skip to content

Dependencies: [Security] Bump rustix from 0.36.5 to 0.36.17

dependabot requested to merge dependabot-cargo-rustix-0.36.17 into master

Bumps rustix from 0.36.5 to 0.36.17. This update includes a security fix.

Vulnerabilities fixed

rustix's rustix::fs::Dir iterator with the linux_raw backend can cause memory explosion


When using rustix::fs::Dir using the linux_raw backend, it's possible for the iterator to "get stuck" when an IO error is encountered. Combined with a memory over-allocation issue in rustix::fs::Dir::read_more, this can cause quick and unbounded memory explosion (gigabytes in a few seconds if used on a hot path) and eventually lead to an OOM crash of the application.



The symptoms were initially discovered in imsnif/bandwhich#284. That post has lots of details of our investigation. See this post and the Discord thread for details.


This issue is caused by the combination of two independent bugs:

  1. Stuck iterator
  • The rustix::fs::Dir iterator can fail to halt after encountering an IO error, causing the caller to be stuck in an infinite loop.
  1. Memory over-allocation
  • Dir::read_more incorrectly grows the read buffer unconditionally each time it is called, regardless of necessity.

Since <Dir as Iterator>::next calls Dir::read, which in turn calls Dir::read_more, this means an IO error encountered during reading a directory can lead to rapid and unbounded growth of memory use.

... (truncated)

Patched versions: 0.36.16 Affected versions: >= 0.36.0, < 0.36.16

Release notes

Sourced from rustix's releases.


  • Fixes undefined references to pwritev64v2, preadv64v2, getauxval, and setns on older glibc versions (#535 and #556)
  • Hopefully fixes the intermittent build errors (#544)
  • 76c998c chore: Release rustix version 0.36.17
  • 1c6013a Fix p{read,write}v{,v2}'s encoding of the offset argument on Linux. (#896) (#...
  • 6534992 chore: Release rustix version 0.36.16
  • 4928cf7 Disable riscv64 testing.
  • 8cc159c Fix the test_ttyname_ok test when /dev/stdin is inaccessable. (#821)
  • 6dc7ba9 Downgrade dependencies and disable tests to compile under Rust 1.48.
  • ded8986 Disable MIPS in CI. (#793)
  • 739f9c3 Fixes for Dir on macOS, FreeBSD, and WASI.
  • 87481a9 Merge pull request from GHSA-c827-hfw6-qwvm
  • 5b764b5 chore: Release rustix version 0.36.15
  • Additional commits viewable in compare view

Merge request reports