From caa92b73a7542bbc84a54783e9c0ae2dd2145278 Mon Sep 17 00:00:00 2001 From: shivvinay Date: Wed, 25 Feb 2026 16:33:02 +0530 Subject: [PATCH 1/2] fix: upgrade tokio 0.2 to 1.x and futures 0.3.5 to 0.3.32 to resolve CVEs Upgrades Rust dependencies to fix the following vulnerabilities: - CVE-2021-45710 / GHSA-rr8g-9fpq-6wmg / GHSA-4q83-7cq4-p6wg (tokio) - CVE-2020-35906 (futures-task) - CVE-2020-35905 (futures-util) - CVE-2020-35711 (arc-swap, removed as transitive dep) - CVE-2020-35919 / CVE-2020-35920 (net2/socket2, removed) - CVE-2020-35921 (miow, removed) Key changes: - tokio 0.2.13 -> 1.49.0 (basic_scheduler -> flavor="current_thread") - futures 0.3.5 -> 0.3.32 - Replace tokio::prelude with explicit imports - Use AsyncRead::read instead of read_buf for stream processing - Use child.wait() instead of direct child future (tokio 1.x API) --- priv/Cargo.lock | 357 +++++++++-------------------------------------- priv/Cargo.toml | 6 +- priv/src/main.rs | 27 ++-- 3 files changed, 86 insertions(+), 304 deletions(-) diff --git a/priv/Cargo.lock b/priv/Cargo.lock index c53bb94..9f17c9c 100644 --- a/priv/Cargo.lock +++ b/priv/Cargo.lock @@ -1,50 +1,28 @@ # This file is automatically @generated by Cargo. # It is not intended for manual editing. -[[package]] -name = "arc-swap" -version = "0.4.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7b8a9123b8027467bce0099fe556c628a53c8d83df0507084c31e9ba2e39aff" - -[[package]] -name = "bitflags" -version = "1.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693" +version = 4 [[package]] name = "bytes" -version = "0.5.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "130aac562c0dd69c56b3b1cc8ffd2e17be31d0b6c25b61c96b76231aa23e39e1" - -[[package]] -name = "cfg-if" -version = "0.1.10" +version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822" +checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33" [[package]] -name = "fuchsia-zircon" -version = "0.3.3" +name = "errno" +version = "0.3.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2e9763c69ebaae630ba35f74888db465e49e259ba1bc0eda7d06f4a067615d82" +checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ - "bitflags", - "fuchsia-zircon-sys", + "libc", + "windows-sys", ] -[[package]] -name = "fuchsia-zircon-sys" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3dcaa9ae7725d12cdb85b3ad99a434db70b468c09ded17e012d86b5c1010f7a7" - [[package]] name = "futures" -version = "0.3.5" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e05b85ec287aac0dc34db7d4a569323df697f9c55b99b15d6b4ef8cde49f613" +checksum = "8b147ee9d1f6d097cef9ce628cd2ee62288d963e16fb287bd9286455b241382d" dependencies = [ "futures-channel", "futures-core", @@ -57,9 +35,9 @@ dependencies = [ [[package]] name = "futures-channel" -version = "0.3.5" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f366ad74c28cca6ba456d95e6422883cfb4b252a83bed929c83abfdbbf2967d5" +checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d" dependencies = [ "futures-core", "futures-sink", @@ -67,15 +45,15 @@ dependencies = [ [[package]] name = "futures-core" -version = "0.3.5" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "59f5fff90fd5d971f936ad674802482ba441b6f09ba5e15fd8b39145582ca399" +checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d" [[package]] name = "futures-executor" -version = "0.3.5" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "10d6bb888be1153d3abeb9006b11b02cf5e9b209fda28693c31ae1e4e012e314" +checksum = "baf29c38818342a3b26b5b923639e7b1f4a61fc5e76102d4b1981c6dc7a7579d" dependencies = [ "futures-core", "futures-task", @@ -84,17 +62,16 @@ dependencies = [ [[package]] name = "futures-io" -version = "0.3.5" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "de27142b013a8e869c14957e6d2edeef89e97c289e69d042ee3a49acd8b51789" +checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718" [[package]] name = "futures-macro" -version = "0.3.5" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d0b5a30a4328ab5473878237c447333c093297bded83a4983d10f4deea240d39" +checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b" dependencies = [ - "proc-macro-hack", "proc-macro2", "quote", "syn", @@ -102,24 +79,21 @@ dependencies = [ [[package]] name = "futures-sink" -version = "0.3.5" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3f2032893cb734c7a05d85ce0cc8b8c4075278e93b24b66f9de99d6eb0fa8acc" +checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893" [[package]] name = "futures-task" -version = "0.3.5" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bdb66b5f09e22019b1ab0830f7785bcea8e7a42148683f99214f73f8ec21a626" -dependencies = [ - "once_cell", -] +checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393" [[package]] name = "futures-util" -version = "0.3.5" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8764574ff08b701a084482c3c7031349104b07ac897393010494beaa18ce32c6" +checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6" dependencies = [ "futures-channel", "futures-core", @@ -128,203 +102,53 @@ dependencies = [ "futures-sink", "futures-task", "memchr", - "pin-project", - "pin-utils", - "proc-macro-hack", - "proc-macro-nested", + "pin-project-lite", "slab", ] -[[package]] -name = "iovec" -version = "0.1.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2b3ea6ff95e175473f8ffe6a7eb7c00d054240321b84c57051175fe3c1e075e" -dependencies = [ - "libc", -] - -[[package]] -name = "kernel32-sys" -version = "0.2.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7507624b29483431c0ba2d82aece8ca6cdba9382bff4ddd0f7490560c056098d" -dependencies = [ - "winapi 0.2.8", - "winapi-build", -] - -[[package]] -name = "lazy_static" -version = "1.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" - [[package]] name = "libc" -version = "0.2.67" +version = "0.2.182" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb147597cdf94ed43ab7a9038716637d2d1bf2bc571da995d0028dec06bd3018" - -[[package]] -name = "log" -version = "0.4.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7" -dependencies = [ - "cfg-if", -] +checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112" [[package]] name = "memchr" -version = "2.3.3" +version = "2.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400" +checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79" [[package]] name = "mio" -version = "0.6.21" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "302dec22bcf6bae6dfb69c647187f4b4d0fb6f535521f7bc022430ce8e12008f" -dependencies = [ - "cfg-if", - "fuchsia-zircon", - "fuchsia-zircon-sys", - "iovec", - "kernel32-sys", - "libc", - "log", - "miow 0.2.1", - "net2", - "slab", - "winapi 0.2.8", -] - -[[package]] -name = "mio-named-pipes" -version = "0.1.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f5e374eff525ce1c5b7687c4cef63943e7686524a387933ad27ca7ec43779cb3" -dependencies = [ - "log", - "mio", - "miow 0.3.3", - "winapi 0.3.8", -] - -[[package]] -name = "mio-uds" -version = "0.6.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "966257a94e196b11bb43aca423754d87429960a768de9414f3691d6957abf125" -dependencies = [ - "iovec", - "libc", - "mio", -] - -[[package]] -name = "miow" -version = "0.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8c1f2f3b1cf331de6896aabf6e9d55dca90356cc9960cca7eaaf408a355ae919" -dependencies = [ - "kernel32-sys", - "net2", - "winapi 0.2.8", - "ws2_32-sys", -] - -[[package]] -name = "miow" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "396aa0f2003d7df8395cb93e09871561ccc3e785f0acb369170e8cc74ddf9226" -dependencies = [ - "socket2", - "winapi 0.3.8", -] - -[[package]] -name = "net2" -version = "0.2.33" +version = "1.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "42550d9fb7b6684a6d404d9fa7250c2eb2646df731d1c06afc06dcee9e1bcf88" +checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc" dependencies = [ - "cfg-if", "libc", - "winapi 0.3.8", -] - -[[package]] -name = "once_cell" -version = "1.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b631f7e854af39a1739f401cf34a8a013dfe09eac4fa4dba91e9768bd28168d" - -[[package]] -name = "pin-project" -version = "0.4.17" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "edc93aeee735e60ecb40cf740eb319ff23eab1c5748abfdb5c180e4ce49f7791" -dependencies = [ - "pin-project-internal", -] - -[[package]] -name = "pin-project-internal" -version = "0.4.17" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e58db2081ba5b4c93bd6be09c40fd36cb9193a8336c384f3b40012e531aa7e40" -dependencies = [ - "proc-macro2", - "quote", - "syn", + "wasi", + "windows-sys", ] [[package]] name = "pin-project-lite" -version = "0.1.4" +version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "237844750cfbb86f67afe27eee600dfbbcb6188d734139b534cbfbf4f96792ae" - -[[package]] -name = "pin-utils" -version = "0.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" - -[[package]] -name = "proc-macro-hack" -version = "0.5.11" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ecd45702f76d6d3c75a80564378ae228a85f0b59d2f3ed43c91b4a69eb2ebfc5" -dependencies = [ - "proc-macro2", - "quote", - "syn", -] - -[[package]] -name = "proc-macro-nested" -version = "0.1.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "369a6ed065f249a159e06c45752c780bda2fb53c995718f9e484d08daa9eb42e" +checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b" [[package]] name = "proc-macro2" -version = "1.0.9" +version = "1.0.106" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c09721c6781493a2a492a96b5a5bf19b65917fe6728884e7c44dd0c60ca3435" +checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934" dependencies = [ - "unicode-xid", + "unicode-ident", ] [[package]] name = "quote" -version = "1.0.3" +version = "1.0.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2bdc6c187c65bca4260c9011c9e3132efe4909da44726bad24cf7572ae338d7f" +checksum = "21b2ebcf727b7760c461f091f9f0f539b77b8e87f2fd88131e7f1b433b3cece4" dependencies = [ "proc-macro2", ] @@ -337,75 +161,53 @@ dependencies = [ "tokio", ] -[[package]] -name = "redox_syscall" -version = "0.1.56" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2439c63f3f6139d1b57529d16bc3b8bb855230c8efcc5d3a896c8bea7c3b1e84" - [[package]] name = "signal-hook-registry" -version = "1.2.0" +version = "1.4.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94f478ede9f64724c5d173d7bb56099ec3e2d9fc2774aac65d34b8b890405f41" +checksum = "c4db69cba1110affc0e9f7bcd48bbf87b3f4fc7c61fc9155afd4c469eb3d6c1b" dependencies = [ - "arc-swap", + "errno", "libc", ] [[package]] name = "slab" -version = "0.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c111b5bd5695e56cffe5129854aa230b39c93a305372fdbb2668ca2394eea9f8" - -[[package]] -name = "socket2" -version = "0.3.11" +version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e8b74de517221a2cb01a53349cf54182acdc31a074727d3079068448c0676d85" -dependencies = [ - "cfg-if", - "libc", - "redox_syscall", - "winapi 0.3.8", -] +checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5" [[package]] name = "syn" -version = "1.0.16" +version = "2.0.117" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "123bd9499cfb380418d509322d7a6d52e5315f064fe4b3ad18a53d6b92c07859" +checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99" dependencies = [ "proc-macro2", "quote", - "unicode-xid", + "unicode-ident", ] [[package]] name = "tokio" -version = "0.2.13" +version = "1.49.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fa5e81d6bc4e67fe889d5783bd2a128ab2e0cfa487e0be16b6a8d177b101616" +checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86" dependencies = [ "bytes", - "lazy_static", "libc", - "memchr", "mio", - "mio-named-pipes", - "mio-uds", "pin-project-lite", "signal-hook-registry", "tokio-macros", - "winapi 0.3.8", + "windows-sys", ] [[package]] name = "tokio-macros" -version = "0.2.5" +version = "2.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0c3acc6aa564495a0f2e1d59fab677cd7f81a19994cfc7f3ad0e64301560389" +checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5" dependencies = [ "proc-macro2", "quote", @@ -413,51 +215,28 @@ dependencies = [ ] [[package]] -name = "unicode-xid" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "826e7639553986605ec5979c7dd957c7895e93eabed50ab2ffa7f6128a75097c" - -[[package]] -name = "winapi" -version = "0.2.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "167dc9d6949a9b857f3451275e911c3f44255842c1f7a76f33c55103a909087a" - -[[package]] -name = "winapi" -version = "0.3.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8093091eeb260906a183e6ae1abdba2ef5ef2257a21801128899c3fc699229c6" -dependencies = [ - "winapi-i686-pc-windows-gnu", - "winapi-x86_64-pc-windows-gnu", -] - -[[package]] -name = "winapi-build" -version = "0.1.1" +name = "unicode-ident" +version = "1.0.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d315eee3b34aca4797b2da6b13ed88266e6d612562a0c46390af8299fc699bc" +checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75" [[package]] -name = "winapi-i686-pc-windows-gnu" -version = "0.4.0" +name = "wasi" +version = "0.11.1+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" +checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b" [[package]] -name = "winapi-x86_64-pc-windows-gnu" -version = "0.4.0" +name = "windows-link" +version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" +checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5" [[package]] -name = "ws2_32-sys" -version = "0.2.1" +name = "windows-sys" +version = "0.61.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d59cefebd0c892fa2dd6de581e937301d8552cb44489cdff035c6187cb63fa5e" +checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc" dependencies = [ - "winapi 0.2.8", - "winapi-build", + "windows-link", ] diff --git a/priv/Cargo.toml b/priv/Cargo.toml index e69d0db..10b7080 100644 --- a/priv/Cargo.toml +++ b/priv/Cargo.toml @@ -2,8 +2,8 @@ name = "rambo" version = "0.3.4" authors = ["Tan Jay Jun"] -edition = "2018" +edition = "2021" [dependencies] -tokio = { version = "0.2", features = ["io-std", "io-util", "macros", "process", "rt-core"] } -futures = "0.3.5" +tokio = { version = "1", features = ["io-std", "io-util", "macros", "process", "rt"] } +futures = "0.3" diff --git a/priv/src/main.rs b/priv/src/main.rs index 68c8100..13e15cc 100644 --- a/priv/src/main.rs +++ b/priv/src/main.rs @@ -2,7 +2,7 @@ use futures::future::FutureExt; use std::collections::HashMap; use std::io::ErrorKind; use std::process::{ExitStatus, Stdio}; -use tokio::prelude::*; +use tokio::io::{self, AsyncRead, AsyncReadExt, AsyncWriteExt}; use tokio::process::{ChildStdin, Command}; #[derive(Debug)] @@ -114,7 +114,7 @@ impl Message { async fn stream_to_child(mut stdin: ChildStdin, input: Option>) -> io::Result<()> { if let Some(input) = input { - stdin.write_all(&input.as_slice()).await?; + stdin.write_all(input.as_slice()).await?; stdin.flush().await?; } Ok(()) @@ -122,14 +122,17 @@ impl Message { async fn stream_to_erlang(mut stream: S, create_message: F) -> io::Result<()> where - S: AsyncRead, + S: AsyncRead + Unpin, F: Fn(Vec) -> Message, { - let mut buffer = vec![]; - while stream.read_buf(&mut buffer).await? > 0 { - let message = create_message(buffer.clone()); + let mut buffer = vec![0u8; 65536]; + loop { + let n = stream.read(&mut buffer).await?; + if n == 0 { + break; + } + let message = create_message(buffer[..n].to_vec()); message.write_to_erlang().await; - buffer.clear(); } Ok(()) } @@ -223,7 +226,7 @@ async fn run_command(mut command: Command, input: Option>) -> io::Result let stderr = Message::stream_to_erlang(stderr, Message::Stderr).fuse(); let mut stderr = Box::pin(stderr); - let child = child.fuse(); + let child = child.wait().fuse(); let mut child = Box::pin(child); let mut stdin_done = false; @@ -234,9 +237,9 @@ async fn run_command(mut command: Command, input: Option>) -> io::Result while !stdin_done || !stdout_done || !stderr_done || child_result.is_none() { futures::select_biased! { error = monitor => return Err(error), - result = stdin => stdin_done = true, - result = stdout => stdout_done = true, - result = stderr => stderr_done = true, + _result = stdin => stdin_done = true, + _result = stdout => stdout_done = true, + _result = stderr => stderr_done = true, result = child => child_result = Some(result), } } @@ -255,7 +258,7 @@ async fn run() -> io::Result<()> { static mut DEBUG: bool = false; -#[tokio::main(basic_scheduler)] +#[tokio::main(flavor = "current_thread")] async fn main() { unsafe { DEBUG = std::env::var_os("RAMBO_DEBUG").is_some(); From 4b3412074e2cda6502141d5f6b18c252d257367a Mon Sep 17 00:00:00 2001 From: shivvinay Date: Wed, 25 Feb 2026 16:45:52 +0530 Subject: [PATCH 2/2] fix: pin tokio and futures to exact versions Pin tokio to =1.49.0 and futures to =0.3.32 instead of relying on Cargo version resolution. --- priv/Cargo.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/priv/Cargo.toml b/priv/Cargo.toml index 10b7080..7a077bd 100644 --- a/priv/Cargo.toml +++ b/priv/Cargo.toml @@ -5,5 +5,5 @@ authors = ["Tan Jay Jun"] edition = "2021" [dependencies] -tokio = { version = "1", features = ["io-std", "io-util", "macros", "process", "rt"] } -futures = "0.3" +tokio = { version = "=1.49.0", features = ["io-std", "io-util", "macros", "process", "rt"] } +futures = "=0.3.32"