[Pkg-rust-maintainers] Bug#1140011: rust-py3: RUSTSEC-2026-0176
Salvatore Bonaccorso
carnil at debian.org
Sun Jun 14 19:51:24 BST 2026
Source: rust-pyo3
Version: 0.28.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi
>From https://rustsec.org/advisories/RUSTSEC-2026-0176.html
> PyO3 0.24.0 added optimized implementations of Iterator::nth and
> DoubleEndedIterator::nth_back for the BoundListIterator and
> BoundTupleIterator types. These implementations computed the target
> index using unchecked usize addition (index + n) before bounds-
> checking against the sequence length, then read the element via
> get_item_unchecked.
>
> In nth methods, a sufficiently large n (combined with a non-zero
> internal index) could cause the addition to overflow and wrap around,
> producing a small "target index" that passed the bounds check and
> enabling reads at the front of the list or tuple of elements
> previously yielded by the iterator.
>
> In nth_back methods, a sufficiently large n could cause underflow in a
> similar fashion, however would instead allow reads of arbitrary memory
> past the end of the list or tuple storage.
>
> PyO3 0.29.0 has corrected these methods to use checked arithmetic at
> the positions which could be at risk of overflow.
Regards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list