Skip to content

chore(deps): update rust crate crossbeam-channel to 0.5.15 [security] #642

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mihirsamdarshi merged 1 commit into from
Dec 10, 2025
Merged

chore(deps): update rust crate crossbeam-channel to 0.5.15 [security] #642

mihirsamdarshi merged 1 commit into from
Dec 10, 2025

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Apr 10, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
crossbeam-channel (source) dependencies patch 0.5.14 -> 0.5.15

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-4574

The internal Channel type's Drop method has a race
which could, in some circumstances, lead to a double-free.
This could result in memory corruption.

Quoting from the
upstream description in merge request #​1187:

The problem lies in the fact that dicard_all_messages contained two paths that could lead to head.block being read but only one of them would swap the value. This meant that dicard_all_messages could end up observing a non-null block pointer (and therefore attempting to free it) without setting head.block to null. This would then lead to Channel::drop making a second attempt at dropping the same pointer.

The bug was introduced while fixing a memory leak, in
upstream MR #​1084,
first published in 0.5.12.

The fix is in
upstream MR #​1187
and has been published in 0.5.15

Release Notes

crossbeam-rs/crossbeam (crossbeam-channel)

v0.5.15: crossbeam-channel 0.5.15

Compare Source

  • Fix regression introduced in 0.5.12 that can lead to a double free when dropping unbounded channel. (#​1187)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the type/patch label Apr 10, 2025
@renovate renovate bot force-pushed the renovate/crate-crossbeam-channel-vulnerability branch from 06de26c to 7caca2e Compare August 10, 2025 14:39
@renovate renovate bot changed the title fix(deps): update rust crate crossbeam-channel to 0.5.15 [security] chore(deps): update rust crate crossbeam-channel to 0.5.15 [security] Sep 25, 2025
@renovate renovate bot force-pushed the renovate/crate-crossbeam-channel-vulnerability branch from 7caca2e to a494ddd Compare December 10, 2025 11:15
@mihirsamdarshi mihirsamdarshi merged commit 8512481 into main Dec 10, 2025
1 check passed
@renovate renovate bot deleted the renovate/crate-crossbeam-channel-vulnerability branch December 10, 2025 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type/patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mihirsamdarshi