Deps.rs

datafusion 31.0.0

[![dependency status](https://deps.rs/crate/datafusion/31.0.0/status.svg)](https://deps.rs/crate/datafusion/31.0.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate datafusion

Dependencies

(41 total, 19 outdated, 3 possibly insecure)

CrateRequiredLatestStatus
 ahash^0.80.8.12up to date
 apache-avro^0.150.21.0out of date
 arrow^46.0.058.0.0out of date
 arrow-array^46.0.058.0.0out of date
 arrow-schema^46.0.058.0.0out of date
 async-compression^0.4.00.4.41up to date
 async-trait^0.1.410.1.89up to date
 bytes ⚠️^1.41.11.1maybe insecure
 bzip2 ⚠️^0.4.30.6.1out of date
 chrono^0.4.270.4.44up to date
 dashmap^5.4.06.1.0out of date
 datafusion-common^31.0.052.2.0out of date
 datafusion-execution^31.0.052.2.0out of date
 datafusion-expr^31.0.052.2.0out of date
 datafusion-optimizer^31.0.052.2.0out of date
 datafusion-physical-expr^31.0.052.2.0out of date
 datafusion-sql^31.0.052.2.0out of date
 flate2^1.0.241.1.9up to date
 futures^0.30.3.32up to date
 glob^0.3.00.3.3up to date
 half^2.12.7.1up to date
 hashbrown^0.140.16.1out of date
 indexmap^2.0.02.13.0up to date
 itertools^0.110.14.0out of date
 log^0.40.4.29up to date
 num-traits^0.20.2.19up to date
 num_cpus^1.13.01.17.0up to date
 object_store ⚠️^0.7.00.13.1out of date
 parking_lot^0.120.12.5up to date
 parquet^46.0.058.0.0out of date
 percent-encoding^2.2.02.3.2up to date
 pin-project-lite^0.2.70.2.17up to date
 rand^0.80.10.0out of date
 sqlparser^0.37.00.61.0out of date
 tempfile^33.26.0up to date
 tokio^1.281.50.0up to date
 tokio-util^0.7.40.7.18up to date
 url^2.22.5.8up to date
 uuid^1.01.21.0up to date
 xz2^0.10.1.7up to date
 zstd^0.120.13.3out of date

Dev dependencies

(16 total, 6 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 async-trait^0.1.530.1.89up to date
 bigdecimal^0.4.10.4.10up to date
 criterion^0.50.8.2out of date
 csv^1.1.61.4.0up to date
 ctor^0.2.00.6.3out of date
 doc-comment^0.30.3.4up to date
 env_logger^0.100.11.9out of date
 half^2.2.12.7.1up to date
 nix^0.26.10.31.2out of date
 postgres-protocol^0.6.40.6.10up to date
 postgres-types^0.2.40.2.12up to date
 regex ⚠️^1.5.41.12.3maybe insecure
 rstest^0.18.00.26.1out of date
 rust_decimal^1.27.01.40.0up to date
 thiserror^1.0.372.0.18out of date
 tokio-postgres^0.7.70.7.16up to date

Security Vulnerabilities

regex: Regexes with large repetitions on empty sub-expressions take a very long time to parse

RUSTSEC-2022-0013

The Rust Security Response WG was notified that the regex crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.

This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the regex crate is used to parse untrusted regexes. Other uses of the regex crate are not affected by this vulnerability.

Overview

The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.

Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.

Affected versions

All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5.

Mitigations

We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the regex crate.

Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.

Acknowledgements

We want to thank Addison Crump for responsibly disclosing this to us according to the Rust security policy, and for helping review the fix.

We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.

bzip2: bzip2 Denial of Service (DoS)

RUSTSEC-2023-0004

Working with specific payloads can cause a Denial of Service (DoS) vector.

Both Decompress and Compress implementations can enter into infinite loops given specific payloads entered that trigger it.

The issue is described in great detail in the bzip2 repository issue.

Thanks to bjrjk for finding and providing the patch for the issue and the maintainer responsibly responding to release a fix quickly.

Users who use the crate with untrusted data should update the bzip2 to 0.4.4.

object_store: Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files

RUSTSEC-2024-0358

Exposure of temporary credentials in logs in Apache Arrow Rust Object Store, version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens.

On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity. This allows someone with access to the logs to impersonate that identity, including performing their own calls to AssumeRoleWithWebIdentity, until the OIDC token expires. Typically OIDC tokens are valid for up to an hour, although this will vary depending on the issuer.

Users are recommended to use a different AWS authentication mechanism, disable logging or upgrade to version 0.10.2, which fixes this issue.

Details

When using AWS WebIdentityTokens with the object_store crate, in the event of a failure and automatic retry, the underlying reqwest error, including the full URL with the credentials, potentially in the parameters, is written to the logs.

Thanks to Paul Hatcherian for reporting this vulnerability

bytes: Integer overflow in `BytesMut::reserve`

RUSTSEC-2026-0007

In the unique reclaim path of BytesMut::reserve, the condition

if v_capacity >= new_cap + offset

uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB.

This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.

PoC

use bytes::*;

fn main() {
    let mut a = BytesMut::from(&b"hello world"[..]);
    let mut b = a.split_off(5);

    // Ensure b becomes the unique owner of the backing storage
    drop(a);

    // Trigger overflow in new_cap + offset inside reserve
    b.reserve(usize::MAX - 6);

    // This call relies on the corrupted cap and may cause UB & HBO
    b.put_u8(b'h');
}

Workarounds

Users of BytesMut::reserve are only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.