Deps.rs

wasmtime-environ 0.7.0

[![dependency status](https://deps.rs/crate/wasmtime-environ/0.7.0/status.svg)](https://deps.rs/crate/wasmtime-environ/0.7.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate wasmtime-environ

Dependencies

(23 total, 15 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 base64^0.11.00.22.1out of date
 bincode^1.1.41.3.3up to date
 cranelift-codegen ⚠️^0.50.00.107.1out of date
 cranelift-entity^0.50.00.107.1out of date
 cranelift-wasm^0.50.00.107.1out of date
 directories^2.0.15.0.1out of date
 errno^0.2.40.3.8out of date
 file-per-thread-logger^0.1.10.2.0out of date
 indexmap^1.0.22.2.6out of date
 lazy_static^1.3.01.4.0up to date
 libc^0.2.600.2.154up to date
 lightbeam^0.7.00.30.0out of date
 log^0.4.80.4.21up to date
 more-asserts^0.2.10.3.1out of date
 rayon^1.21.10.0up to date
 serde^1.0.941.0.200up to date
 sha2^0.8.00.10.8out of date
 spin ⚠️^0.5.00.9.8out of date
 thiserror^1.0.41.0.59up to date
 toml^0.5.50.8.12out of date
 wasmparser^0.39.20.206.0out of date
 winapi^0.3.70.3.9up to date
 zstd^0.50.13.1out of date

Dev dependencies

(6 total, 4 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 cranelift-codegen ⚠️^0.50.00.107.1out of date
 filetime^0.2.70.2.23up to date
 pretty_env_logger^0.3.00.5.0out of date
 rand^0.7.00.8.5out of date
 target-lexicon^0.9.00.12.14out of date
 tempfile^33.10.1up to date

Security Vulnerabilities

spin: Wrong memory orderings in RwLock potentially violates mutual exclusion

RUSTSEC-2019-0013

Wrong memory orderings inside the RwLock implementation allow for two writers to acquire the lock at the same time. The drop implementation used Ordering::Relaxed, which allows the compiler or CPU to reorder a mutable access on the locked data after the lock has been yielded.

Only users of the RwLock implementation are affected. Users of Once (including users of lazy_static with the spin_no_std feature enabled) are NOT affected.

On strongly ordered CPU architectures like x86, the only real way that this would lead to a memory corruption is if the compiler reorders an access after the lock is yielded, which is possible but in practice unlikely. It is a more serious issue on weakly ordered architectures such as ARM which, except in the presence of certain instructions, allow the hardware to decide which accesses are seen at what times. Therefore on an ARM system it is likely that using the wrong memory ordering would result in a memory corruption, even if the compiler itself doesn't reorder the memory accesses in a buggy way.

The flaw was corrected by https://github.com/mvdnes/spin-rs/pull/66.

cranelift-codegen: Memory access due to code generation flaw in Cranelift module

RUSTSEC-2021-0067

There is a bug in 0.73.0 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a WebAssembly module. Users of versions 0.73.0 of Cranelift should upgrade to either 0.73.1 or 0.74 to remediate this vulnerability. Users of Cranelift prior to 0.73.0 should update to 0.73.1 or 0.74 if they were not using the old default backend.

More details can be found in the GitHub Security Advisory at:

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5