GHSA-vxcf-c7mx-pg53: Build corruption when using `PYO3_CONFIG_FILE` environment variable

Skip to content

Navigation Menu

• • GitHub Copilot

    Write better code with AI

  • Security

    Find and fix vulnerabilities

  • Actions

    Automate any workflow

  • Codespaces

    Instant dev environments

  • Issues

    Plan and track work

  • Code Review

    Manage code changes

  • Discussions

    Collaborate outside of code

  • Code Search

    Find more, search less

• Explore

  • Learning Pathways
  • White papers, Ebooks, Webinars
  • Customer Stories
  • Partners
  • Executive Insights

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• • Enterprise platform

    AI-powered developer platform

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-vxcf-c7mx-pg53

Build corruption when using `PYO3_CONFIG_FILE` environment variable

Moderate severity GitHub Reviewed Published Dec 5, 2024 to the GitHub Advisory Database • Updated Dec 5, 2024

Package

cargo pyo3 (Rust)

Affected versions

>= 0.23.0, < 0.23.3

Description

In PyO3 0.23.0 the PYO3_CONFIG_FILE environment variable used to configure builds regressed such that changing the environment variable would no longer trigger PyO3 to reconfigure and recompile. In combination with workflows using tools such as maturin to build for multiple versions in a single build, this leads to Python wheels being compiled against the wrong Python API version.

All users who distribute artefacts for multiple Python versions are encouraged to update and rebuild with PyO3 0.23.3. Affected wheels produced from PyO3 0.23.0 through 0.23.2 are highly unstable and will crash the Python interpreter in unpredictable ways.

References

• PyO3/pyo3#4757
• https://rustsec.org/advisories/RUSTSEC-2024-0409.html

Published to the GitHub Advisory Database

Dec 5, 2024