Update Rust crate prost to 0.6.0 [SECURITY]

[renovate[bot]]

This PR contains the following updates:

Package	Type	Update	Change
prost	dependencies	minor	0.5.0 -> 0.6.0

GitHub Vulnerability Alerts

CVE-2020-35858

Affected versions of this crate contained a bug in which decoding untrusted input could overflow the stack. On architectures with stack probes (like x86), this can be used for denial of service attacks, while on architectures without stack probes (like ARM) overflowing the stack is unsound and can result in potential memory corruption (or even RCE).

---

Release Notes

tokio-rs/prost (prost)

v0.6.1

Compare Source

PROST! is a Protocol Buffers implementation for the Rust Language. prost generates simple, idiomatic Rust code from proto2 and proto3 files.

prost 0.6.1 fixes a bug in which decoding untrusted input could overflow the stack. The bug was reported by @​dbrgn in #​267 (with an attached repro!), and fixed by @​danburkert. The fix extended the same recursion limits introduced in #​186 by @​nrc (released in 0.6.0) to the logic which skips unknown fields during decoding, which became recursive when support was added for decoding groups (also released in 0.6.0). The 0.6.0 release of the prost crates has been yanked from crates.io.

Additionally, @​koushiro updated the private dependencies of all prost crates to the latest versions.

Many thanks to the generous contributors who have helped out since 0.6.0:

• Dan Burkert
• Danilo Bargen
• Qinxuan Chen

v0.6.0

Compare Source

PROST! is a Protocol Buffers implementation for the Rust Language. prost generates simple, idiomatic Rust code from proto2 and proto3 files.

prost 0.6.0 includes breaking changes:

• The minimum-supported Rust version (MSRV) is now 1.39.0.
• The bytes public dependency version is now 0.5.
• The prost-types Timestamp and Duration types now impl TryFrom for their std::time equivalents. The old inherent try_from methods have been removed.
• Deeply nested messages now fail decoding with an error, instead of potentially resulting in a stack overflow. The limit is set to a nesting depth of 100, and the limit can be disabled using a new no-recursion-limit Cargo feature.

As well as many new (non-breaking) features and improvements:

• @​hanya added support for protobuf Group types.
• @​danburkert improved the benchmark suite, including adding support for the full set of upstream message encoding and decoding benchmarks.
• @​nrc implemented a series of micro-optimizations which result in faster message encoding and decoding.
• @​dunmatt improved the method docs on generated types.
• @​lukaslueg removed the dependency on byteorder.
• @​parasyte added the ServiceGenerator::finalize_package, which is useful for advanced service generators.
• @​joelgallant improved the error message that occurs when attempting to compile .proto files without a package specifier.
• @​LucioFranco removed the direct dependency of generated types on the bytes crate, which means applications which use prost code generation are no longer required to declare a bytes dependency.
• @​ErichDonGubler and @​hobofan bumped the syn, quote, and proc-macro2 to stable versions.
• @​Timmmm improved prost-build so that it no longer writes .rs files when they are unchanged, which improves working with tools like cargo watch in codebases with prost code generation.
• @​Hirevo replaced usage of failure with anyhow.
• @​danburkert bumped the packaged protoc version to 3.11.2.

Many thanks to the generous contributors who have helped out since 0.5.0:

• Dan Burkert
• Erich Gubler
• FujiApple
• Hanya
• Jay Oster
• Joel Gallant
• koushiro
• Lucio Franco
• Luffbee
• lukaslueg
• M@ Dunlap
• Maximilian Goisser
• Mikhail Zabaluev
• Nick Cameron
• Nicolas Polomack
• Stephan Wolski
• Tim Hutt

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate[bot]]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: docker run --rm --name=renovate_a_sidecar --label=renovate_a_child --memory=3584m -v "/tmp/worker/6db155/780fbb/repos/github/bodymindarts/risq":"/tmp/worker/6db155/780fbb/repos/github/bodymindarts/risq" -v "/tmp/worker/6db155/780fbb/cache":"/tmp/worker/6db155/780fbb/cache" -e CONTAINERBASE_CACHE_DIR -w "/tmp/worker/6db155/780fbb/repos/github/bodymindarts/risq" ghcr.io/containerbase/sidecar:9.28.0 bash -l -c "install-tool rust 1.74.0 && cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --workspace && cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --package [email protected] --precise 0.6.1"
    Updating crates.io index
      Adding anyhow v1.0.75
      Adding bytes v0.5.6
      Adding prost v0.6.1
      Adding prost-derive v0.6.1
    Updating crates.io index
error: failed to select a version for the requirement `prost = "^0.5.0"`
candidate versions found which didn't match: 0.6.1
location searched: crates.io index
required by package `prost-types v0.5.0`
    ... which satisfies dependency `prost-types = "^0.5.0"` (locked to 0.5.0) of package `risq v0.4.2-dev (/tmp/worker/6db155/780fbb/repos/github/bodymindarts/risq)`
perhaps a crate was updated and forgotten to be re-vendored?