Update Rust crate zip to v2.3.0 [SECURITY]

[oxide-renovate]

This PR contains the following updates:

Package	Type	Update	Change
zip	workspace.dependencies	minor	=2.1.3 -> =2.3.0

GitHub Vulnerability Alerts

CVE-2025-29787

Summary

In the archive extraction routine of affected versions of the zip crate, symbolic links earlier in the archive are allowed to be used for later files in the archive without validation of the final canonicalized path, allowing maliciously crafted archives to overwrite arbitrary files in the file system when extracted.

Details

This is a variant of the zip-slip vulnerability, we can make the extraction logic step outside of the target directory by creating a symlink to the parent directory and then extracting further files through that symlink.

The documentation of the [::zip::read::ZipArchive::extract] method is in my opinion implying this should not happen:

"Paths are sanitized with ZipFile::enclosed_name." ...
[::zip::read::FileOptions::enclosed_name] ... is resistant to path-based exploits ... can’t resolve to a path outside the current directory.

Most archive software either decline to extract symlinks that traverse out of the directory or defer creation of symlinks after all files have been created to prevent unexpected behavior when later entries depend on earlier symbolic link entries.

PoC

https://gist.github.com/eternal-flame-AD/bf71ef4f6828e741eb12ce7fd47b7b85

Impact

Users who extract untrusted archive files using the following high-level API method may be affected and critical files on the system may be overwritten with arbitrary file permissions, which can potentially lead to code execution.

• zip::unstable::stream::ZipStreamReader::extract
• zip::read::ZipArchive::extract

---

Release Notes

zip-rs/zip2 (zip)

v2.3.0

Compare Source

🚀 Features

• Add support for NTFS extra field (#​279)

🐛 Bug Fixes

• (test) Conditionalize a zip64 doctest (#​308)
• fix failing tests, remove symlink loop check
• Canonicalize output path to avoid false negatives
• Symlink handling in stream extraction
• Canonicalize output paths and symlink targets, and ensure they descend from the destination

⚙️ Miscellaneous Tasks

• Fix clippy and cargo fmt warnings (#​310)

v2.2.3

Compare Source

🚜 Refactor

• Change the inner structure of DateTime (#​267)

⚙️ Miscellaneous Tasks

• cargo fix --edition

v2.2.2

Compare Source

🐛 Bug Fixes

• rewrite the EOCD/EOCD64 detection to fix extreme performance regression (#​247)

v2.2.1

Compare Source

🐛 Bug Fixes

• remove executable bit (#​238)
• (lzma) fixed panic in case of invalid lzma stream (#​259)
• resolve new clippy warnings on nightly (#​262)
• resolve clippy warning in nightly (#​252)

⚡ Performance

• Faster cde rejection (#​255)

v2.2.0

Compare Source

🚀 Features

• Expose ZipArchive::central_directory_start (#​232)

v2.1.6

Compare Source

🐛 Bug Fixes

• (#​33) Rare combination of settings could lead to writing a corrupt archive with overlength extra data, and data_start locations when reading the archive back were also wrong (#​221)

🚜 Refactor

• Eliminate some magic numbers and unnecessary path prefixes (#​225)

v2.1.5

Compare Source

🚜 Refactor

• change invalid_state() return type to io::Result

v2.1.4

Compare Source

🐛 Bug Fixes

• fix(#​215): Upgrade to deflate64 0.1.9
• Panic when reading a file truncated in the middle of an XZ block header
• Some archives with over u16::MAX files were handled incorrectly or slowly (#​189)
• Check number of files when deciding whether a CDE is the real one
• Could still select a fake CDE over a real one in some cases
• May have to consider multiple CDEs before filtering for validity
• We now keep searching for a real CDE header after read an invalid one from the file comment
• Always search for data start when opening an archive for append, and reject the header if data appears to start after central directory
• deep_copy_file no longer allows overwriting an existing file, to match the behavior of shallow_copy_file
• File start position was wrong when extra data was present
• Abort file if central extra data is too large
• Overflow panic when central directory extra data is too large
• ZIP64 header was being written twice when copying a file
• ZIP64 header was being written to central header twice
• Start position was incorrect when file had no extra data
• Allow all reserved headers we can create
• Fix a bug where alignment padding interacts with other extra-data fields
• Fix bugs involving alignment padding and Unicode extra fields
• Incorrect header when adding AES-encrypted files
• Parse the extra field and reject it if invalid
• Incorrect behavior following a rare combination of merge_archive, abort_file and deep_copy_file. As well, we now return an error when a file is being copied to itself.
• path_to_string now properly handles the case of an empty path
• Implement Debug for ZipWriter even when it's not implemented for the inner writer's type
• Fix an issue where the central directory could be incorrectly detected
• finish_into_readable() would corrupt the archive if the central directory had moved

🚜 Refactor

• Verify with debug assertions that no FixedSizeBlock expects a multi-byte alignment (#​198)
• Use new do_or_abort_file method

⚡ Performance

• Speed up CRC when encrypting small files
• Limit the number of extra fields
• Refactor extra-data validation
• Store extra data in plain vectors until after validation
• Only build one IndexMap after choosing among the possible valid headers
• Simplify validation of empty extra-data fields
• Validate automatic extra-data fields only once, even if several are present
• Remove redundant validate_extra_data() call
• Skip searching for the ZIP32 header if a valid ZIP64 header is present (#​189)

⚙️ Miscellaneous Tasks

• Fix a bug introduced by c934c82
• Fix a failing unit test
• Fix build errors on older Rust versions
• Fix build
• Fix another fuzz failure
• Switch to ok_or_abort_file, and inline when that fails borrow checker
• Switch to ok_or_abort_file, and inline when that fails borrow checker
• Fix a build error
• Fix boxed_local warning (can borrow instead)
• Partial debug
• Fix more errors when parsing multiple extra fields
• Fix an error when decoding AES header
• Fix an error caused by not allowing 0xa11e field
• Bug fix: crypto_header was being counted toward extra_data_end
• Bug fix: revert a change where crypto_header was incorrectly treated as an extra field
• Fix a bug where a modulo of 0 was used
• Fix a bug when ZipCrypto, alignment and a custom header are used
• Fix a bug when both ZipCrypto and alignment are used
• Fix another bug: header_end vs extra_data_end
• Fix use of a stale value in a debug_assert_eq!
• Fix: may still get an incorrect size if opening an invalid file for append
• Fix: may need the absolute start as tiebreaker to ensure deterministic behavior

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - "after 8pm,before 6am" in timezone America/Los_Angeles.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[oxide-renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --workspace
    Updating git repository `https://github.com/oxidecomputer/pq-sys`
From https://github.com/oxidecomputer/pq-sys
 * [new ref]         b1194c190f4d4a103c2280908cd1e97628c5c1cb -> refs/commit/b1194c190f4d4a103c2280908cd1e97628c5c1cb
    Updating crates.io index
    Updating git repository `https://github.com/oxidecomputer/maghemite`
From https://github.com/oxidecomputer/maghemite
 * [new ref]         caafd889f31faacfaa51e02902990c220c20ef60 -> refs/commit/caafd889f31faacfaa51e02902990c220c20ef60
    Updating git repository `https://github.com/oxidecomputer/serde_human_bytes`
From https://github.com/oxidecomputer/serde_human_bytes
 * [new ref]         0a09794501b6208120528c3b457d5f3a8cb17424 -> refs/commit/0a09794501b6208120528c3b457d5f3a8cb17424
    Updating git repository `https://github.com/oxidecomputer/slog-error-chain`
From https://github.com/oxidecomputer/slog-error-chain
 * [new ref]         15f69041f45774602108e47fb25e705dc23acfb2 -> refs/commit/15f69041f45774602108e47fb25e705dc23acfb2
    Updating git repository `https://github.com/oxidecomputer/tufaceous`
From https://github.com/oxidecomputer/tufaceous
 * [new ref]         69e2896b5905aba61445e519aaa40f02d59638b2 -> refs/commit/69e2896b5905aba61445e519aaa40f02d59638b2
    Updating git repository `https://github.com/oxidecomputer/propolis`
From https://github.com/oxidecomputer/propolis
 * [new ref]         6b5f2af796a3ea57405721407ab70520a93ec73f -> refs/commit/6b5f2af796a3ea57405721407ab70520a93ec73f
    Updating git repository `https://github.com/oxidecomputer/crucible`
From https://github.com/oxidecomputer/crucible
 * [new ref]         81a3528adacdbde18fcbf3938247fef17233db11 -> refs/commit/81a3528adacdbde18fcbf3938247fef17233db11
    Updating git repository `https://github.com/oxidecomputer/opte`
From https://github.com/oxidecomputer/opte
 * [new ref]         cd9aa6467c5e62c6d97f6aafa2150d6930e3a0fa -> refs/commit/cd9aa6467c5e62c6d97f6aafa2150d6930e3a0fa
    Updating git repository `https://github.com/oxidecomputer/falcon`
From https://github.com/oxidecomputer/falcon
 * [new ref]         f3fe0542198c08bbb82d16f168e6482db9bec5b9 -> refs/commit/f3fe0542198c08bbb82d16f168e6482db9bec5b9
    Updating git repository `https://github.com/oxidecomputer/clickward`
From https://github.com/oxidecomputer/clickward
 * [new ref]         e3d9a1c35cf3cd04f9cb2e997b0ad88324d30737 -> refs/commit/e3d9a1c35cf3cd04f9cb2e997b0ad88324d30737
    Updating git repository `https://github.com/oxidecomputer/openapi-lint`
From https://github.com/oxidecomputer/openapi-lint
 * [new ref]         ef442ee4343e97b6d9c217d3e7533962fe7d7236 -> refs/commit/ef442ee4343e97b6d9c217d3e7533962fe7d7236
    Updating git repository `https://github.com/oxidecomputer/management-gateway-service`
From https://github.com/oxidecomputer/management-gateway-service
 * [new ref]         9bbac475dcaac88286c07a20b6bd3e94fc81d7f0 -> refs/commit/9bbac475dcaac88286c07a20b6bd3e94fc81d7f0
    Updating git repository `https://github.com/oxidecomputer/transceiver-control`
From https://github.com/oxidecomputer/transceiver-control
 * [new ref]         4aac6125a8e6cefbb71d9f8a3d1fe6704207d476 -> refs/commit/4aac6125a8e6cefbb71d9f8a3d1fe6704207d476
    Updating git repository `https://github.com/oxidecomputer/ipcc-rs`
From https://github.com/oxidecomputer/ipcc-rs
 * [new ref]         524eb8f125003dff50b9703900c6b323f00f9e1b -> refs/commit/524eb8f125003dff50b9703900c6b323f00f9e1b
    Updating git repository `https://github.com/oxidecomputer/sprockets.git`
From https://github.com/oxidecomputer/sprockets
 * [new ref]         6d31fa63217c6a51061dc4afa1ebe175a0021981 -> refs/commit/6d31fa63217c6a51061dc4afa1ebe175a0021981
    Updating git repository `https://github.com/oxidecomputer/tofino`
From https://github.com/oxidecomputer/tofino
 * [new ref]         1b66b89c3727d2191082df057b068ec52560e334 -> refs/commit/1b66b89c3727d2191082df057b068ec52560e334
    Updating git repository `https://github.com/oxidecomputer/illumos-devinfo`
From https://github.com/oxidecomputer/illumos-devinfo
 * [new ref]         4323b17bfdd0c94d2875ac64b47f0e60fac1d640 -> refs/commit/4323b17bfdd0c94d2875ac64b47f0e60fac1d640
    Updating git repository `https://github.com/oxidecomputer/libefi-illumos`
From https://github.com/oxidecomputer/libefi-illumos
 * [new ref]         54c398c139f0e65252c2c0f9565d2eec7116bf02 -> refs/commit/54c398c139f0e65252c2c0f9565d2eec7116bf02
    Updating git repository `https://github.com/oxidecomputer/libnvme`
From https://github.com/oxidecomputer/libnvme
 * [new ref]         dd5bb221d327a1bc9287961718c3c10d6bd37da0 -> refs/commit/dd5bb221d327a1bc9287961718c3c10d6bd37da0
    Updating git repository `https://github.com/oxidecomputer/lldp`
From https://github.com/oxidecomputer/lldp
 * [new ref]         ce952e61f444119a2a9fe0d5c5c3db96daf70d96 -> refs/commit/ce952e61f444119a2a9fe0d5c5c3db96daf70d96
    Updating git repository `https://github.com/oxidecomputer/hubtools.git`
From https://github.com/oxidecomputer/hubtools
 * [new ref]         f48e2da029ba6552cff5c07ff8a2fc21cc56aa32 -> refs/commit/f48e2da029ba6552cff5c07ff8a2fc21cc56aa32
    Updating git repository `https://github.com/bluecatengineering/dhcproto.git`
From https://github.com/bluecatengineering/dhcproto
 * [new ref]         120da6fcd8a7be84d417d372634ead84ce07e6da -> refs/commit/120da6fcd8a7be84d417d372634ead84ce07e6da
    Updating git repository `https://github.com/oxidecomputer/ispf`
From https://github.com/oxidecomputer/ispf
 * [new ref]         f78443a98397f7818b1e7a487dbb7d5cad625496 -> refs/commit/f78443a98397f7818b1e7a487dbb7d5cad625496
    Updating git repository `https://github.com/oxidecomputer/poptrie`
From https://github.com/oxidecomputer/poptrie
 * [new ref]         ca52bef3f87ff1a67d81b3c6e601dcb5fdbcc165 -> refs/commit/ca52bef3f87ff1a67d81b3c6e601dcb5fdbcc165
    Updating git repository `https://github.com/oxidecomputer/netadm-sys`
From https://github.com/oxidecomputer/netadm-sys
 * [new ref]         f4eae3d8070760922da93b9edd56ca4103b4c390 -> refs/commit/f4eae3d8070760922da93b9edd56ca4103b4c390
    Updating git repository `https://github.com/oxidecomputer/tlvc.git`
From https://github.com/oxidecomputer/tlvc
 * [new ref]         e644a21a7ca973ed31499106ea926bd63ebccc6f -> refs/commit/e644a21a7ca973ed31499106ea926bd63ebccc6f
    Updating git repository `https://github.com/oxidecomputer/dice-util`
From https://github.com/oxidecomputer/dice-util
 * [new ref]         3cc953c8d0ace2f20cbcf3920b0771d25301960a -> refs/commit/3cc953c8d0ace2f20cbcf3920b0771d25301960a
    Updating git repository `https://github.com/oxidecomputer/lpc55_support`
From https://github.com/oxidecomputer/lpc55_support
 * [new ref]         131520fc913ecce9b80557e854751953f743a7d2 -> refs/commit/131520fc913ecce9b80557e854751953f743a7d2
    Updating git repository `https://github.com/oxidecomputer/ingot.git`
From https://github.com/oxidecomputer/ingot
 * [new ref]         bff93247fe75ff889121e39d494cc3805fc01906 -> refs/commit/bff93247fe75ff889121e39d494cc3805fc01906
    Updating git repository `https://github.com/oxidecomputer/dlpi-sys`
From https://github.com/oxidecomputer/dlpi-sys
 * [new ref]         1d587ea98cf2d36f1b1624b0b960559c76d475d2 -> refs/commit/1d587ea98cf2d36f1b1624b0b960559c76d475d2
    Updating git repository `https://github.com/jmesmon/rust-libzfs`
From https://github.com/jmesmon/rust-libzfs
 * [new ref]         ecd5a922247a6c5acef55d76c5b8d115572bc850 -> refs/commit/ecd5a922247a6c5acef55d76c5b8d115572bc850
    Updating git repository `https://github.com/oxidecomputer/rusty-doors`
From https://github.com/oxidecomputer/rusty-doors
 * [new ref]         0e3a1495dcf8b7b5e11a6921c2cf1cf957c5a5bf -> refs/commit/0e3a1495dcf8b7b5e11a6921c2cf1cf957c5a5bf
error: failed to select a version for `zip`.
    ... required by package `tufaceous-lib v0.1.0 (https://github.com/oxidecomputer/tufaceous?branch=main#69e2896b)`
    ... which satisfies git dependency `tufaceous-lib` (locked to 0.1.0) of package `omicron-releng v0.1.0 (/tmp/renovate/repos/github/oxidecomputer/omicron/dev-tools/releng)`
versions that meet the requirements `=2.1.3` are: 2.1.3

all possible versions conflict with previously selected packages.

  previously selected package `zip v2.3.0`
    ... which satisfies dependency `zip = "=2.3.0"` of package `omicron-nexus v0.1.0 (/tmp/renovate/repos/github/oxidecomputer/omicron/nexus)`
    ... which satisfies path dependency `omicron-nexus` (locked to 0.1.0) of package `omicron-dev v0.1.0 (/tmp/renovate/repos/github/oxidecomputer/omicron/dev-tools/omicron-dev)`

failed to select a version for `zip` which could resolve this conflict

File name: Cargo.toml

Command failed: tools/renovate-post-upgrade.sh
+ set -o pipefail
+ set -o pipefail
+ case "${BINSTALL_VERSION:-}" in
++ mktemp -d
+ cd /tmp/tmp.l3Y8UTraYI
+ '[' -z '' ']'
+ base_url=https://github.com/cargo-bins/cargo-binstall/releases/latest/download/cargo-binstall-
++ uname -s
+ os=Linux
+ '[' Linux = Darwin ']'
+ '[' Linux = Linux ']'
++ uname -m
+ machine=x86_64
+ '[' x86_64 = armv7l ']'
+ target=x86_64-unknown-linux-musl
+ '[' x86_64 = armv7 ']'
+ url=https://github.com/cargo-bins/cargo-binstall/releases/latest/download/cargo-binstall-x86_64-unknown-linux-musl.tgz
+ curl -A 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/81.0' -L --proto =https --tlsv1.2 -sSf https://github.com/cargo-bins/cargo-binstall/releases/latest/download/cargo-binstall-x86_64-unknown-linux-musl.tgz
+ tar -xvzf -
+ ./cargo-binstall --self-install
+ CARGO_HOME=/home/ubuntu/.cargo
+ case ":$PATH:" in
+ needs_cargo_home=1
+ '[' -n 1 ']'
+ '[' -n '' ']'
+ echo
+ printf '\033[0;31mYour path is missing %s, you might want to add it.\033[0m\n' /home/ubuntu/.cargo/bin
+ echo
Error: 
   0: �[91mbuilding package graph failed�[0m
   1: �[91m`cargo metadata` execution failed�[0m
   2: �[91m`cargo metadata` exited with an error:     Updating crates.io index
      error: failed to select a version for `zip`.
          ... required by package `tufaceous-lib v0.1.0 (https://github.com/oxidecomputer/tufaceous?branch=main#69e2896b)`
          ... which satisfies git dependency `tufaceous-lib` (locked to 0.1.0) of package `omicron-releng v0.1.0 (/tmp/renovate/repos/github/oxidecomputer/omicron/dev-tools/releng)`
      versions that meet the requirements `=2.1.3` are: 2.1.3

      all possible versions conflict with previously selected packages.

        previously selected package `zip v2.3.0`
          ... which satisfies dependency `zip = "=2.3.0"` of package `omicron-nexus v0.1.0 (/tmp/renovate/repos/github/oxidecomputer/omicron/nexus)`
          ... which satisfies path dependency `omicron-nexus` (locked to 0.1.0) of package `omicron-dev v0.1.0 (/tmp/renovate/repos/github/oxidecomputer/omicron/dev-tools/omicron-dev)`

      failed to select a version for `zip` which could resolve this conflict
   2: �[0m

Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.
Run with RUST_BACKTRACE=full to include source snippets.