[GHSA-cq8v-f236-94qc] Rand is unsound with a custom logger using rand::rng()#7481
[GHSA-cq8v-f236-94qc] Rand is unsound with a custom logger using rand::rng()#7481nbagnard wants to merge 1 commit intonbagnard/advisory-improvement-7481from
Conversation
github-actions
Bot
changed the base branch from
main
to
nbagnard/advisory-improvement-7481
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the GitHub-reviewed advisory for GHSA-cq8v-f236-94qc to reflect newly clarified affected version ranges and the backported fix in rand 0.8.6.
Changes:
- Updates the affected range start for the 0.9.x line (introduce 0.9.0 → fixed 0.9.3).
- Adds a new affected range for
rand0.7.0 → fixed 0.8.6 (backport). - Bumps the advisory
modifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "introduced": "0.9.0" | ||
| }, | ||
| { | ||
| "fixed": "0.9.3" |
There was a problem hiding this comment.
The advisory mixes an ECOSYSTEM range that is fixed at 0.9.3 with an explicit vulnerable versions entry for 0.10.0. If 0.10.0 is intended to be vulnerable, it’s clearer (and typically easier for tooling) to represent it as an additional ranges[].events segment (e.g., an introduced: "0.10.0" event, optionally with a fixed if known) rather than (or in addition to) a standalone versions list.
| "versions": [ | ||
| "0.10.0" | ||
| ] |
There was a problem hiding this comment.
The advisory mixes an ECOSYSTEM range that is fixed at 0.9.3 with an explicit vulnerable versions entry for 0.10.0. If 0.10.0 is intended to be vulnerable, it’s clearer (and typically easier for tooling) to represent it as an additional ranges[].events segment (e.g., an introduced: "0.10.0" event, optionally with a fixed if known) rather than (or in addition to) a standalone versions list.
| { | ||
| "package": { | ||
| "ecosystem": "crates.io", | ||
| "name": "rand" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0.7.0" | ||
| }, | ||
| { | ||
| "fixed": "0.8.6" | ||
| } | ||
| ] | ||
| } | ||
| ] |
There was a problem hiding this comment.
The PR adds a second affected entry for the same package (rand). If the existing affected array already contains a rand entry (it appears to, given the other rand-line changes), consider consolidating into a single affected item with multiple ranges blocks (one per maintenance line: 0.7–0.8.6, 0.9–0.9.3, etc.). This reduces duplication and makes future edits (e.g., adding a 0.10.x fix) less error-prone.
Updates
Comments
The patch was backported to rand 0.8.6.
See updated "Patched" section in https://rustsec.org/advisories/RUSTSEC-2026-0097.html and rand 0.8.6 release notes https://github.com/rust-random/rand/releases/tag/0.8.6