chore(deps): update rust crate wasmtime-wasi to v33 [security]#346
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
chore(deps): update rust crate wasmtime-wasi to v33 [security]#346renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
renovate
Bot
force-pushed
the
renovate/crate-wasmtime-wasi-vulnerability
branch
from
b2f7a82 to
b69c223
Compare
renovate
Bot
force-pushed
the
renovate/crate-wasmtime-wasi-vulnerability
branch
from
b69c223 to
5f81f73
Compare
renovate
Bot
force-pushed
the
renovate/crate-wasmtime-wasi-vulnerability
branch
from
5f81f73 to
9cb325f
Compare
renovate
Bot
force-pushed
the
renovate/crate-wasmtime-wasi-vulnerability
branch
from
9cb325f to
f4b5622
Compare
renovate
Bot
force-pushed
the
renovate/crate-wasmtime-wasi-vulnerability
branch
from
f4b5622 to
ffdebdf
Compare
renovate
Bot
force-pushed
the
renovate/crate-wasmtime-wasi-vulnerability
branch
from
ffdebdf to
b226c12
Compare
renovate
Bot
force-pushed
the
renovate/crate-wasmtime-wasi-vulnerability
branch
from
b226c12 to
983209d
Compare
renovate
Bot
force-pushed
the
renovate/crate-wasmtime-wasi-vulnerability
branch
from
983209d to
e8ec477
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/crate-wasmtime-wasi-vulnerability
branch
2 times, most recently
from
e8ec477 to
81b4723
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/crate-wasmtime-wasi-vulnerability
branch
2 times, most recently
from
81b4723 to
dad8331
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
27.0.0→33.0.0Wasmtime CLI is vulnerable to host panic through its fd_renumber function
CVE-2025-53901 / GHSA-fm79-3f68-h2fc
More information
Details
Summary
A bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder).
The specific bug is triggered by calling
path_openafter callingfd_renumberwith either:The corrupt state introduced in
fd_renumberwill lead to the subsequent opening of a file descriptor to panic. This panic cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, however. There is no possible heap corruption or memory unsafety from this panic.This bug is in the implementation of Wasmtime's
wasmtime-wasicrate which provides an implementation of WASIp1. The bug requires a specially crafted call tofd_renumberin addition to the ability to open a subsequent file descriptor. Opening a second file descriptor is only possible when a preopened directory was provided to the guest, and this is common amongst embeddings. A panic in the host is considered a denial-of-service vector for WebAssembly embedders and is thus a security issue in Wasmtime.This bug does not affect WASIp2 and embedders using components.
Patches
In accordance with Wasmtime's release process patch releases are available as 24.0.4, 33.0.2, and 34.0.2. Users of other release of Wasmtime are recommended to move to a supported release of Wasmtime.
Workarounds
Embedders who are using components or are not providing guest access to create more file descriptors (e.g. via a preopened filesystem directory) are not affected by this issue. Otherwise there is no workaround at this time and affected embeddings are recommended to update to a patched version which will not cause a panic in the host.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
bytecodealliance/wasmtime (wasmtime-wasi)
v33.0.2Compare Source
33.0.2
Released 2025-07-18.
Fixed
Fix a panic in the host caused by preview1 guests using
fd_renumber.CVE-2025-53901.
Fix a panic in the preview1 adapter caused by guests using
fd_renumber.#11277
33.0.1
Released 2025-06-24.
Fixed
types.
#11103
v33.0.1Compare Source
33.0.1
Released 2025-06-24.
Fixed
types.
#11103
v33.0.0Compare Source
33.0.0
Released 2025-05-20.
Added
Cranelift now has initial support for
try_callandtry_call_indirectinstructions, to be used in the future for the WebAssembly exception-handling
proposal. Wasmtime does not yet implement this proposal yet.
#10510
#10557
#10593
Cranelift can now optimize some simple possibly-side-effectful instructions,
such as division.
#10524
Wasmtime now supports
--invokefor components using the WAVE format.#10054
Initial support for the Component Model has landed in Wasmtime's C API. Note
that the API is not yet feature-complete, however.
#10566
#10598
#10651
#10675
Wasmtime's C++ API is now available from this repository and the
bytecodealliance/wasmtime-cpp repository has been archived. Additionally the
monolithic
wasmtime.hhheader file has been split into separate headerfiles.
#10582
#10600
Wasmtime's cookbook-style documentation has been expanded.
#10630
Wasmtime's now supports custom yield behavior when using epoch interrupts.
#10671
Changed
Wasmtime's bindgen now type-checks export functions in the constructor of
the generated
{Worldname}Preor{Worldname}structs, rather than at thecall of the export function.
#10610
Wasmtime's
component::Componentandcomponent::Instancenow have consistientget_exportandget_export_indexmethods, which return(ComponentItem, ComponentExportIndex)andComponentExportIndex, respectively.#10597
On failure,
wasmtime servegives an internal server error response, ratherthan closing the connection.
#10645
Cranelift's single-pass allocator has been disabled due to being unable to
support internal refactorings in preparation for the WebAssembly exceptions
proposal. Re-enabling this allocator is tracked at
regalloc2#217 for
those interested.
#10554
Wasmtime's
{Array,Extern,Struct}Reffunctions will now automatically triggera GC.
#10560
Wasmtime's GC heaps now use the same translation techniques as linear memories
meaning they have far fewer bounds-checks than before.
#10503
Wasmtime's implementation of WASIp2 has moved to
wasmtime_wasi::p2from theroot of the crate.
#10073
Wasmtime will no longer emit calls to Cranelift-defined "libcalls" and instead
everything goes through Wasmtime's libcall mechanism instead, paving the way
for a future change for more efficient stack limit checking in wasm. This can
also improve deserialize-from-disk times and improve page cache usage for
modules that use libcalls as relocations are no longer necessary.
#10657
Configuration of caching can now be done through an API instead of exclusively
through a configuration file. Additionally cache-related APIs in
Confighavechanged.
#10665
Resources in the Component Model are now stored in a single table per-instance
instead of per-type tables. Guests will see a different pattern of index
allocation but this is not expected to cause any issues at runtime.
#10701
Fixed
Some math intrinsics have been fixed when compiled by Rust 1.87+.
#10534
Component model libcalls correctly handle platform-specific argument extension
in ABIs.
#10540
An off-by-one issue with DWARF debuginfo has been fixed.
#10570
The
Config::targetmethod is no longer gated by a#[cfg]for an enabledcompiler, it can be used when only the
runtimefeature is available.#10618
An issue with "simulated" DWARF has been fixed.
#10681
C/C++ headers are now tested that they can be included in isolation, and a
number of issues have been fixed.
#10694
v32.0.1Compare Source
32.0.1
Released 2025-06-24.
Fixed
types.
#11103
v32.0.0Compare Source
32.0.0
Released 2025-04-21.
Added
{Module,Component}::deserialize_rawcan now be used to deserialize anin-memory module while relying on external management of the memory.
#10321
An initial implementation of wasi-tls has been added.
#10249
The
wasmtimeCLI now supports hexadecimal integer CLI arguments.#10360
Cranelift now supports a
log2_min_function_alignmentflag.#10391
A new
wasmtime objdumpsubcommand has been added to help explore and debug*.cwasmfiles.#10405
Support for the pooling allocator has been added to the C API.
#10484
Support for the guest profiler with the component model has been added.
#10507
Changed
Cranelift
MemFlagsnow has acan_moveflag which restricts whether a loador store can be moved.
#10340
The
.textsize of Pulley*.cwasmfiles should be smaller with lesspadding.
#10285
The
wasmtime servesubcommand now implements a graceful shutdown on ctrl-c.#10394
Stack maps used for GC are now stored in a serialized binary format that is
faster to deserialize.
#10404
The aegraph implementation in Cranelift has been simplified to remove the
union-find and canonical eclass IDs.
#10471
The
store_listandload_listhelpers have been specialized in componentsfor
f32andf64.#9892
Cranelift now removes block params on critical-edge blocks.
#10485
The
Linker::define_unknown_imports_as_default_valuesAPI now supportsdefining defaults for more kinds of items.
#10500
Wasmtime now requires Rust 1.84.0 to compile.
#10520
Fixed
Winch compilation of extadd instructions has been fixed.
#10337
Fix an issue with DRC collector's barriers.
#10371
Loads on
(ref null none)that can trap are now performed.#10372
Fix reference count management in
AnyRef::from_raw.#10374
An issue with multi-value returns in Winch has been fixed.
#10370
A panic at compile-time from an overflowing shift has been fixed when
targeting aarch64.
#10382
The
wasmtime servecommand no longer panics whenhandlereturns beforecalling
set.#10387
Winch compilation of
replace_laneinstructions with floats has been fixed.#10393
An invalid integer-shift optimization on vector types has been removed.
#10413
The DWARF loclist to exprloc optimization has been fixed.
#10400
Objects in the DRC collector are now transitively dec-ref's when collected.
#10401
A bug with GC rec gropus and registration in an
Enginehas been fixed.#10435
A bug related to GC arrays of GC refs misreported their count of GC edges has
been fixed.
#10453
A bug related to appropriately adding stack maps for all GC variables has been
fixed.
#10456
#10468
A bug with
array.fillhas been fixed.#10470
GC structs are no longer reordered to optimize their size to fix subtyping.
#10463
Panics related to exceptions and components being mixed has been fixed.
#10473
Winch stack parameter alignment has been fixed.
#10513
Rendering inline function frames in a trap backtrace has been fixed.
#10523
v31.0.0Compare Source
31.0.0
Released 2025-03-20.
Added
Winch's implementation of the SIMD proposal for WebAssembly is now
feature-complete (but still being fuzzed).
#10180
#10170
#10203
#10202
#10210
#10213
#10224
#10205
#10226
#10228
#10236
#10241
#10243
#10247
#10271
#10284
#10288
#10296
The pytorch implementation in wasmtime-wasi-nn now has GPU support.
#10204
Cranelift now supports emitting the AArch64
extrinstruction.#10229
Cranelift now supports emitting the x64
shldinstruction.#10233
Initial support for the stack-switching proposal has started to land, but it
is not complete just yet.
#10251
#10265
#10255
Changed
Pulley's implementation of loads/stores to linear memory has changed to
better support optimizations and reduction of interpreter opcodes in the
final binary.
#10154
Cranelift's verifier now ensures that integers used as address types have the
correct width.
#10209
Wasmtime and Cranelift's minimum supported version of Rust is now 1.83.0.
#10264
Wasmtime now mentions the filename when the input cannot be opened on the CLI.
#10292
All types are now generated in
component::bindgen!, even if they're notreachable.
#10311
Tables allocated with the system allocator now use
alloc_zeroed(akacalloc) for allocation.#10313
Fixed
GC: the is-null-or-i31ref checks have been fixed.
#10221
GC: an incorrect assertion and canonicalized types for runtime usage has been
fixed.
#10223
GC: subtype checks for imported globals during instantiation have been fixed.
#10304
GC: exposing references to wasm in the
gc_alloc_rawlibcall has been fixed.#10322
Winch's fuel checks correctly sync fuel before the check now.
#10231
Winch's treatment of stores and other trapping ops has been fixed on AArch64.
#10201
Winch's handling of the shadow stack pointer has been fixed on AArch64.
#10263
Winch's handling of address calculations has been fixed on AArch64.
#10297
Winch's handling of multivalue return of constants has ben fixed.
#10315
v30.0.2Compare Source
30.0.2
Released 2025-02-25.
Fixed
fix an issue caused by #9929.
#10290
Changed
cranelift-codegencrate now no longer depends onarbitrary, anow-unnecessary dependency.
#10217
v30.0.1Compare Source
30.0.1
Released 2025-02-21.
Fixed
cranelift-assembler-x64crate on Windowswhen the Rust toolchain is on a different drive than the project using
wasmtime. For more details, see the Zulip discussion. #10270v30.0.0Compare Source
30.0.0
Released 2025-02-20.
Added
New
wasmtime-wasi-iocrate provides a#![no_std]wasi:io implementation,factored out of
wasmtime-wasi. Users ofwasmtime-wasidon't have todepend on this new crate.
#10036
Wasmtime's interpreter, Pulley, is now complete and has been listed as
tier 2.
#9897
#9884
#9943
#9944
#9983
#9966
#9935
#10034
#10057
#10095
Wasmtime's CI now checks that the repository builds for
aarch64-apple-ios.Note that no tests are run for this target, so it's still tier 3.
#9888
Winch's support for AArch64 and simd on x64 have continued to progress
well. Winch additionally now fully supports the
threadsWebAssemblyproposal.
#9889
#9970
#9950
#9987
#9990
#9959
#10008
#10028
#10029
#10023
#10042
#10050
#10039
#10082
#10092
#10109
#10148
#10147
The
memory64WebAssembly feature is now enabled by default. This WebAssemblyproposal is now considered a tier 1 feature.
#9937
#10159
Wasmtime's full test suite and CI now includes 32-bit platforms such as x86
and armv7 Linux. These platforms have been added to tier 3 status and use
Pulley as their execution backend.
#10025
Initial experimental support for WASIp3 and async features of the Component
Model have started to land. These features are not yet ready for
general-purpose use.
#10044
#10047
#10083
#10103
The
wasmtimeCLI now supports using a TOML configuration file via--configin addition to CLI options.
#9811
#10132
Initial support for a new assembler on x64 has been added.
#10110
#10178
Changed
wasmtime-wasisplit theWasiViewtrait intoIoViewandWasiView, andwasmtime-wasi-httpre-usesIoViewinWasiHttpView. Details on portingfor embedders in PR.
#10016
wasmtime-wasirenamed some exported types and traits. Embedders which usePollable,InputStream,OutputStream,Subscribe,HostInputStream,HostOutputStream,PollableFuture, orClosureFuturefrom that cratewill need to rename those imports to their new names, describe in PR.
#10036
Components using a 64-bit linear memory should never have worked before, but
they're now rejected earlier in the validation process.
#9952
Module validation is now deterministic in the face of multiple errors.
#9947
Wasmtime's minimum supported version of Rust is now 1.82.0.
#9956
Cranelift will now deduplicate
trap[n]zinstructions.#10004
The
--emit-clifoption towasmtime compilenow emits post-optimizationCLIF.
#10011
The
signals-based-trapsCargo feature has been removed in favor ofauto-detection of available features based on the
#[cfg]directivesavailable for the target platform.
#9941
The
async_stack_zeroingconfiguration knob now covers all stack allocations,not just those from the pooling allocator.
#10027
Wasmtime should work-by-default on more platforms, even those where Cranelift
has no support for the architecture. This is done by ensuring some
architecture and platform-specific bits are removed on unknown platforms (and
Pulley is used instead).
#10107
Wasmtime now compiles on platforms missing 64-bit atomics.
#10134
Fixed
Fixed a missing case for
Ref::matches_tyshould returntrue.#9985
A bug with using the
single_passregister allocation algorithm on x64/s390xhas been fixed by refactoring how branches are represented.
#10086
#10087
A bug with argument extensions on riscv64 has been fixed.
#10069
The
PartialEqimplementation forRegisteredTypehas been fixed.#10091
The output of
component::bindgen!now works with#![no_std]crates.#10105
Fix
wasmtime wastwhen combined with--fuel.#10121
The
watfeature of the C API is now plumbed correctly in a few morelocations.
#10124
Spurious wake-ups in
blocking_*methods ofInputStreamandOutputStreamhave been fixed.
#10113
v29.0.1Compare Source
29.0.1
Released 2025-01-21.
Fixed
configurations that have multiple preopened directories.
#10064
v29.0.0Compare Source
29.0.0
Released 2025-01-20.
Added
Winch now supports epoch-based interruption.
#9737
Pulley, Wasmtime's WebAssembly interpreter, has seen quite a lot of progress
and support fleshed out. It's still not 100% complete but should be about
ready to start kicking the tires.
#9744
The Wasmtime CLI now supports a
-Wextended-constflag to control whether theextended-constwasm proposal is enabled or not.#9768
Work continues to progress on the AArch64 Winch backend, bringing it closer to
completion.
#9762
#9767
#9751
#9784
#9781
#9792
#9787
#9798
#9850
Wasmtime now supports a "custom code publisher" which can be useful when
Wasmtime doesn't have built-in support for a particular environment.
#9778
Configuration options have been added for
wasmtime-wasi-httpoutgoingbodies.
#9800
Log prefixes can now be disabled for the
wasmtime servecommand.#9821
A new
WASMTIME_LOG_NO_CONTEXTenvironment variable was added to livealongside
WASMTIME_LOG.#9902
Release artifacts for aarch64-musl targets are now available.
#9934
Changed
Wasmtime libcalls now return whether a trap happened rather than raising a
trap directly to better prepare for the Pulley interpreter and an eventual
implementation of Wasm exception-handling.
#9710
Wasmtime will now use the Pulley interpreter by default on platforms that
are not supported by Cranelift.
#9741
Demangling symbols in profiling and debugging has improved to handle failures
to demangle C++ symbols.
#9756
WASI WIT files have been updated to 0.2.3.
#9807
Wasmtime's
bindgen!macro inasyncmode no longer uses#[async_trait]an instead natively uses
async fnin traits.#9867
Floats are no longer canonicalized flowing into or out of components.
#9879
Instance methods are now translated to static methods in DWARF translation.
#9898
The C API now supports debug builtins for debugging guest code.
#9915
Fixed
The header file for
wasmtime_instance_pre_instantiatein the C API has beenfixed.
#9770
WebAssembly DWARF is more conservative in its GC pass during translation to
native DWARF.
#9829
Debugging intrinsics are fixed on Linux to be exported now.
#9866
v28.0.1Compare Source
28.0.1
Released 2025-01-14.
Fixed
Store::into_data.#10009
v28.0.0Compare Source
28.0.0
Released 2024-12-20.
Added
The ISLE DSL used for Cranelift now has a first-class
booltype.#9593
Cranelift now supports a new single-pass register allocator designed for
compile-time performance (unlike the current default which is optimized for
runtime-of-generated-code performance).
#9611
The
wasmtimecrate now natively supports thewasm-wavecrate and itsencoding of component value types.
#8872
A
Modulecan now be created from an already-open file.#9571
A new default-enabled crate feature,
signals-based-traps, has been added tothe
wasmtimecrate. When disabled then runtime signal handling is notrequired by the host. This is intended to help with future effort to port
Wasmtime to more platforms.
#9614
Linear memories may now be backed by
mallocin certain conditions when guardpages are disabled, for example.
#9614
#9634
Wasmtime's
asyncfeature no longer requiresstd.#9689
The buffer and budget capacity of
OutgoingBodyinwasmtime-wasi-httparenow configurable.
#9670
Changed
Wasmtime's external and internal distinction of "static" and "dynamic"
memories has been refactored and reworded. All options are preserved but
exported under different names with improved documentation about how they all
interact with one another. (and everything should be easier to understand)
#9545
Each
Store<T>now caches a single fiber stack in async mode to avoidallocating/deallocating if the store is used multiple times.
#9604
Linear memories now have a 32MiB guard region at the end instead of a 2GiB
guard region by default.
#9606
Wasmtime will no longer validate dependencies between WebAssembly features,
instead delegating this work to
wasmparser's validator.#9623
Cranelift's
isle-in-source-treefeature has been re-worked as an environmentvariable.
#9633
Wasmtime's minimum supported Rust version is now 1.81.
#9692
Synthetic types in DWARF are now more efficiently represented.
#9700
Debug builtins on Windows are now exported correctly.
#9706
Documentation on
Confignow clarifies that defaults of some options maydiffer depending on the selected target or compiler depending on features
supported.
#9705
Wasmtime's error-related types now all unconditionally implement the
Errortrait, even in
#[no_std]mode.#9702
Fixed
Field type matching for subtyping with wasm GC has been fixed.
#9724
Native unwind info generated for s390x has been fixed in the face of tail
calls.
#9725
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.