Skip to content
This repository was archived by the owner on Nov 21, 2025. It is now read-only.

Update Rust crate glib to 0.20.0 [SECURITY]#242

Open
renovate[bot] wants to merge 1 commit intodevelopfrom
renovate/crate-glib-vulnerability
Open

Update Rust crate glib to 0.20.0 [SECURITY]#242
renovate[bot] wants to merge 1 commit intodevelopfrom
renovate/crate-glib-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Dec 24, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
glib (source) dependencies minor 0.16.9 -> 0.20.0

GitHub Vulnerability Alerts

GHSA-wrw7-89jp-8q8g

The VariantStrIter::impl_get function (called internally by implementations of the Iterator and DoubleEndedIterator traits for this type) was unsound, resulting in undefined behaviour.

An immutable reference &p to a *mut libc::c_char pointer initialized to NULL was passed as an argument to a C function that that mutates the pointer behind &p in-place (i.e. as an out-argument), which was unsound. After changes in recent versions of the Rust compiler, these unsound writes through &p now seem to be completely disregarded when building the glib crate with optimizations.

This subsequently caused all calls of VariantStrIter::impl_get to violate the safety requirements of the std::ffi::CStr::from_ptr function - which requires its argument to be a valid pointer to a C-style string - resulting in crashes due to NULL pointer dereferences.

This was fixed by passing the out-argument pointer explitly as &mut p instead of &p.

This issue has been present since this code was initially added in glib v0.15.0. The mismatch in mutability was likely missed (and not raised as an error by the compiler) because the C function wrapped by VariantStrIter::impl_get is variadic (glib_sys::g_variant_get_child), and the pointer in question is one of the variadic arguments.

Release Notes

gtk-rs/gtk-rs-core (glib)

v0.20.0

Compare Source

Bilal Elmoussaoui:
      cairo: Use workspaces
      cairo: Fix ffi glib crate name
      cairo: Add missing version
      Post release version bump
      ci/docs: Deploy 0.19 release
      chore: Drop no longer needed deny skips
      docs: Move metadata back to packages
      glib: Requires Upgrade on Downgrade::Weak type
      Update clone.rs
      glib: Mark GParamSpec types as manual
      glib: Don't use macros to generate ParamSpec structs
      Update gir/gir-files submodules
      Regenerate with latest gir/gir-files
      Revert "glib: Auto generate various win32 functions"
      glib/gio: Remove no longer used version/ignore
      glib: Ignore new unsafe functions
      Fix nightly clippy warnings
      gio: Stop re-exporting all the types in prelude
      gio: Move guards to trait definitions
      gio/socket: Replace c_int import with full qualifier
      gio/tests: Guard variable that is used on windows only builds
      typos: Ignore guid false-positive
      Regenerate with latest gir/gir-files
      pango: Mark Item.get_char_offset param as const
      pango: Re-export v1_54 feature
      ci: Bump pango feature
      pango: Downgrade require version for v1.54
      Fix various nightly clippy warnings
      Update gir submodule
      Regenerate with latest gir
      Adapt to no longer renamed ffi crates
      cairo: Add missing doc aliases
      gio/tests: Remove no longer useful guard
      Revert "build(deps): bump freetype-rs from 0.36.0 to 0.37.0"
      Update dependencies

Carlos Martín Nieto:
      gio: Add a method to get a stream of incoming connections to SocketListener
      gio: add SocketListenerExtManual to Gir.toml

DaKnig:
      spell fix

Fabio Valentini:
      glib: fix UB in VariantStrIter::impl_get

Fina Wilke:
      glib-macros/properties: Allow structs with no properties
      glib::wrapper: Add docs for impls generated by the wrapper macro
      glib-macros: Refactor parsing code of object_subclass/object_interface
      glib: Decouple ObjectInterface impl from interface class struct
      glib: Only implement Send an JoinHandle if the result is Send
      examples: Add example for custom class structs and virtual methods
      glib-macros: Fix clippy warnings in tests
      glib-macros: Properties: Annotate methods with #[allow(dead_code)]
      glib-macros: Fix links in property macros docs
      docs: Fix broken links
      glib: Make links in README.md work in both web and rustdoc

François Laignel:
      ObjectBuilder: add property_if(), property_if_some(), property_from_iter() ... ... & property_if_not_empty()

Kévin Commaille:
      glib-macros: Improve error message when Properties struct doesn't have at least one #[property(…)]

L. E. Segovia:
      cairo: Fix version of the v1_18 feature

Matthew Waters:
      pango: add some missing AttrInt constructors.

Maximiliano Sandoval:
      Document values of Continue and Break

Paolo Borelli:
      macros: allow to specify #[default] for glib::flags
      gio: remove Send + Sync requirements from DBusConnection::register_object
      gio: remove Send + Sync requirements also for other GDBus closures
      gio: explicitely ignore DBusConnection::register_object
      gio: use a builder to register a DBus object
      ci: bump gvsbuild
      Derive TransparentPtrType trait for Boxed
      strv: add From implementation from a String array

Pranjal Kole:
      glib/functions: add compute_checksum_for_string

Sebastian Dröge:
      Fix some new clippy warnings
      glib-macros: Require at least syn 2.0.32
      glib: Fix expected error output of compiletests for 1.76
      glib: Add `Quark::from_static_str()`
      glib: Use `Self` instead of `Quark` in a few places
      Remove Cargo.lock from .gitignore
      Update Cargo.lock
      deny: Add toml_edit / winnow overrides
      glib: Drop the main context future return value sender on finalize
      glib: Fix memory leak in `subclass::shared` tests
      glib: Use `glib::GString` for collate keys
      glib: Avoid heap allocation and copy of input strings for collation
      Update Cargo.lock
      deny: Add heck 0.4 to the ignore list
      glib: Don't misuse `slice::get_unchecked()`
      Downgrade clap
      Revert "deny: Add heck 0.4 to the ignore list"
      Update system-deps to 6.2.2
      Work around rustdoc-stripper bug
      Fix glib compiletest expected output for Rust 1.77
      Update gir
      Update gir-files
      Regenerate with latest gir / gir-files
      glib: Use `time_t` correctly for manual bindings
      glib-sys: Map `glib_sys::GPid` directly to `libc::pid_t`
      Add glib/gio `v2_82` feature
      ci: Update gvsbuild git reference
      graphene: Remove non-existing `v1_12` feature
      pango: Bump version features to released versions
      gio-sys: Hide UNIX specific `Credentials` API on Windows
      gio: Use correct types for UNIX-specific `Credentials` API
      glib: Freeze property notifications while setting multiple properties
      ci: Enable glib-sys / gobject-sys tests
      glib: Re-add and rename manual Win32 API additions
      glib: Use a reference to a pointer of correct mutability for from_glib_ptr_borrow()
      glib: Don't use `g_object_list_properties()` for setting properties
      glib: Move various assertions from `FromValue` to `from_glib_ptr_borrow()`
      glib: Extend `spawn_from_within()` test to actually use a future that compiles with the normal `spawn()`
      glib: Add missing `Send` bound to the output type of the `spawn_from_within()` future
      examples: Remove unnecessary `Debug` impl derive from virtual_methods example
      glib: Convert safety doc comment to a normal comment
      glib-macros: Make subclassable test actually do something at runtime
      glib: Add bindings for `g_value_set_static_string()` and `g_value_set_interned_string()`
      glib: Fix `MatchInfo::next()` handling of returning `FALSE`
      glib: Improve `ValueArray` API, add tests and assertions for invalid usage
      glib: Add unsafe `Value::into_send_value()`
      gio: Move conditionally used imports to the place where they're used
      gio: Properly export Win32InputStream / Win32OutputStream traits
      gio: Remove unused ffi import on Windows
      Update `clone!` and `closure!` macro to new syntax
      glib-macros: Fix unit return in `closure!()` macro
      Merge pull request #​1438 from sdroege/clone-new-closure-unit-return
      Downgrade clap to 4.4 for MSRV 1.70
      Update gir
      gio: Mark `File::copy_async_with_closures()` and `move_async_with_closures() as ignored
      Regenerate with latest gir
      cairo: Update to system-deps 7
      Update to system-deps 7
      glib-macros: Don't produce unnecessary braces in `clone!(async move { x })`
      Update gir
      Update gir-files
      Regenerate with latest gir / gir-files
      Merge pull request #​1448 from sdroege/update-gir-files
      glib: Make `TypeData` struct fields private
      examples: Port remaining example to new `clone!` macro syntax
      glib: Add support for registering GTypes with name conflicts
      Update gir
      Update gir-files
      glib-sys: Add version for `q_sort_array()`
      Regenerate with latest gir / gir-files
      Update Cargo.lock
      Update gir-files
      Regenerate with latest gir-files
      Update Cargo.lock

Ville Hakulinen:
      gio: correctly free argument list items
      tests: skip failing test on windows
      docs: `construct` attribute for `glib::Properties`
      docs: fix typo

liushuyu:
      glib-sys: remove the redundant `ignore = true` line
      glib-sys: fix manual.h header to include proper headers ...
      glib-sys: remove deprecated lock types ...
      glib-sys: re-generate bindings and tests

misson20000:
      glib: Implement Sync for ThreadGuard

v0.19.9

Compare Source

Paolo Borelli:
      glib-macros: do not emit deprecation warnings for old clone! and closure! in 0.19
      glib-macros: make new clone! and closure! syntax a feature
      glib-macros: restore stable documentation of clone! and closure!
      glib-macros: make tests for new clone! conditional as well
      glib: stick to the old clone syntax

Sebastian Dröge:
      Update `clone!` and `closure!` macro to new syntax
      glib-macros: Fix unit return in `closure!()` macro
      glib-macros: Don't produce unnecessary braces in `clone!(async move { x })`
      glib-macros: Fix clone tests to work with both the unstable syntax enabled and not
      Update Cargo.lock
      Update versions to 0.19.9
      glib: Depend on glib-macros 0.19.9 for the new feature

v0.19.8

Compare Source

Bilal Elmoussaoui:
      glib: Requires Upgrade on Downgrade::Weak type
      glib: Mark GParamSpec types as manual
      glib: Don't use macros to generate ParamSpec structs
      Fix various nightly clippy warnings

Fina Wilke:
      glib-macros: Fix links in property macros docs
      docs: Fix broken links
      glib: Make links in README.md work in both web and rustdoc

Paolo Borelli:
      ci: bump gvsbuild
      gio: remove Send + Sync requirements from DBusConnection::register_object
      gio: remove Send + Sync requirements also for other GDBus closures
      gio: explicitely ignore DBusConnection::register_object
      Fix cargo fmt
      Derive TransparentPtrType trait for Boxed
      strv: add From implementation from a String array
      Regen with the latest gir from 0.19 branch
      gio: sync test with master

Sebastian Dröge:
      glib: Extend `spawn_from_within()` test to actually use a future that compiles with the normal `spawn()`
      gio: Properly export Win32InputStream / Win32OutputStream traits

v0.19.7

Compare Source

Fina Wilke:
      glib-macros: Fix clippy warnings in tests
      glib-macros: Properties: Annotate methods with #[allow(dead_code)]

Sebastian Dröge:
      glib-macros: Make subclassable test actually do something at runtime
      glib: Add bindings for `g_value_set_static_string()` and `g_value_set_interned_string()`
      Update Cargo.lock
      glib: Convert safety doc comment to a normal comment
      Update versions to 0.19.7

v0.19.6

Compare Source

Fina Wilke :
      glib: Only implement Send an JoinHandle if the result is Send

Sebastian Dröge:
      glib: Don't use `g_object_list_properties()` for setting properties
      glib: Add missing `Send` bound to the output type of the `spawn_from_within()` future
      Update versions to 0.19.6

misson20000:
      glib: Implement Sync for ThreadGuard

v0.19.5

Compare Source

Bilal Elmoussaoui:
      Revert "glib: Auto generate various win32 functions"
      glib/gio: Remove no longer used version/ignore
      glib: Ignore new unsafe functions

Fina Wilke:
      glib-macros/properties: Allow structs with no properties
      glib::wrapper: Add docs for impls generated by the wrapper macro

Kévin Commaille:
      glib-macros: Improve error message when Properties struct doesn't have at least one #[property(…)]

Sebastian Dröge:
      Update version to 0.19.4
      Update gir
      Update gir-files
      Regenerate with updated gir / gir-files
      glib: Use `time_t` correctly for manual bindings
      glib-sys: Map `glib_sys::GPid` directly to `libc::pid_t`
      gio-sys: Hide UNIX specific `Credentials` API on Windows
      gio: Use correct types for UNIX-specific `Credentials` API
      glib: Freeze property notifications while setting multiple properties
      ci: Enable glib-sys / gobject-sys tests
      Update Cargo.lock
      ci: Update gvsbuild git reference
      glib: Re-add and rename manual Win32 API additions
      Update versions to 0.19.5

liushuyu:
      glib-sys: remove the redundant `ignore = true` line
      glib-sys: fix manual.h header to include proper headers ...
      glib-sys: remove deprecated lock types ...
      glib-sys: re-generate bindings and tests

v0.19.4

Compare Source

Bilal Elmoussaoui:
      Fix nightly clippy warnings
      gio: Stop re-exporting all the types in prelude
      gio: Move guards to trait definitions
      gio/socket: Replace c_int import with full qualifier
      gio/tests: Guard variable that is used on windows only builds
      typos: Ignore guid false-positive

Fabio Valentini:
      glib: fix UB in VariantStrIter::impl_get

Maximiliano Sandoval:
      Document values of Continue and Break

Sebastian Dröge:
      Work around rustdoc-stripper bug
      Fix glib compiletest expected output for Rust 1.77
      Update Cargo.lock
      Revert "deny: Add heck 0.4 to the ignore list"
      Update version to 0.19.4

Ville Hakulinen:
      docs: `construct` attribute for `glib::Properties`
      docs: fix typo

v0.19.3

Compare Source

Matthew Waters:
      pango: add some missing AttrInt constructors.

Paolo Borelli:
      macros: allow to specify #[default] for glib::flags

Sebastian Dröge:
      glib: Add `Quark::from_static_str()`
      glib: Use `Self` instead of `Quark` in a few places
      glib: Drop the main context future return value sender on finalize
      glib: Fix memory leak in `subclass::shared` tests
      glib: Use `glib::GString` for collate keys
      glib: Avoid heap allocation and copy of input strings for collation
      glib: Don't misuse `slice::get_unchecked()`
      Update versions to 0.19.3

Ville Hakulinen:
      gio: correctly free argument list items
      tests: skip failing test on windows

v0.19.2

Compare Source

What's Changed

Bilal Elmoussaoui:
      chore: Drop no longer needed deny skips
      docs: Move metadata back to packages

L. E. Segovia:
      cairo: Fix version of the v1_18 feature

Sebastian Dröge:
      Fix some new clippy warnings
      glib-macros: Require at least syn 2.0.32
      glib: Fix expected error output of compiletests for 1.76
      Update Cargo.lock
      Update version to 0.19.2

Full Changelog: gtk-rs/gtk-rs-core@0.19.1...0.19.2

v0.19.0

Compare Source

What's Changed

New Contributors

Full Changelog: gtk-rs/gtk-rs-core@0.18.0...0.19.0

v0.18.5

Compare Source

Guillaume Desmottes:
      glib: improve message on deprecated channel API

Paolo Borelli:
      macros: generate GlibPtrDefault when deriving Boxed and SharedBoxed

Sebastian Dröge:
      Fix / work around a couple of new clippy 1.75 warnings
      Update versions to 0.18.5

v0.18.4

Compare Source

Guillaume Gomez :
      Fix new clippy lints

Sebastian Dröge:
      glib: Deprecate main context channel
      gio: Don't wrongly cast `DataInputStream` byte arrays to a const pointer
      Update versions to 0.18.4

Zander Brown:
      gio: return NULL from spawn_blocking's underlying gtask

v0.18.3

Compare Source

Aaron Erhardt:
      glib-macros: Mark property getters as #[must_use]

Bilal Elmoussaoui:
      Fix nightly clippy warnings

Brian Vincent:
      fix glyph string analysis methods that don't need &mut

Colin Walters:
      glib/GStringPtr: Add `as_str()` and `Deref<Target=&str>`

Desuwa:
      Add _full and _local_full methods for idle and timeout callbacks.

Eva Pace:
      glib-macros: Remove unused imports from Properties doc test

Julian Hofer:
      Add `spawn_future` and `spawn_future_local` convenience functions

Kévin Commaille:
      gio: Use weak reference to ActionMap when adding action entries

Paolo Borelli:
      gio: fix UnixSocketAddress constructor with a path

Sebastian Dröge:
      Require a mutable reference for the `glib::List` mutable iterators
      glib-macros: Update to proc-macro-crate 2
      Switch to `resolver = "2"` for the workspace
      Update gir / gir-files to latest 0.18 barnch
      Regenerate with latest gir / gir-files
      Update versions to 0.18.3

v0.18.2

Compare Source

What's Changed

v0.18.1

Compare Source

What's Changed

v0.18.0

Compare Source

What's Changed

New Contributors

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Dec 24, 2024
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock
Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --package glib@0.16.9 --precise 0.20.0
error: failed to acquire package cache lock

Caused by:
  failed to open: /home/ubuntu/.cargo/.package-cache

Caused by:
  failed to create directory `/home/ubuntu/.cargo`

Caused by:
  File exists (os error 17)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants