chore(deps): update rust crate rand to v0.8.6 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
rand (source)	dependencies	patch	0.8.4 → 0.8.6

---

Rand is unsound with a custom logger using rand::rng()

GHSA-cq8v-f236-94qc

More information

Details

It has been reported (by @​lopopolo) that the rand library is unsound (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:

• The log and thread_rng features are enabled
• A custom logger is defined
• The custom logger accesses rand::rng() (previously rand::thread_rng()) and calls any TryRng (previously RngCore) methods on ThreadRng
• The ThreadRng (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
• Trace-level logging is enabled or warn-level logging is enabled and the random source (the getrandom crate) is unable to provide a new seed

TryRng (previously RngCore) methods for ThreadRng use unsafe code to cast *mut BlockRng<ReseedingCore> to &mut BlockRng<ReseedingCore>. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of aliased mutable references is Undefined Behaviour, the behaviour of optimized builds is hard to predict.

Severity

Low

References

• https://github.com/rust-random/rand/pull/1763
• https://rustsec.org/advisories/RUSTSEC-2026-0097.html
• https://github.com/advisories/GHSA-cq8v-f236-94qc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

rust-random/rand (rand)

v0.8.6

Compare Source

What's Changed

This release back-ports a fix from v0.10. See also #​1763.

Changes

• Deprecate feature log (#​1772)

• Drop the experimental simd_support feature.

New Contributors

• @​nwalfield made their first contribution in #​1772

Full Changelog: rust-random/rand@0.8.5...0.8.6

v0.8.5

Compare Source

Fixes

• Fix build on non-32/64-bit architectures (#​1144)
• Fix "min_const_gen" feature for no_std (#​1173)
• Check libc::pthread_atfork return value with panic on error (#​1178)
• More robust reseeding in case ReseedingRng is used from a fork handler (#​1178)
• Fix nightly: remove unused slice_partition_at_index feature (#​1215)
• Fix nightly + simd_support: update packed_simd (#​1216)

Rngs

• StdRng: Switch from HC128 to ChaCha12 on emscripten (#​1142).
  We now use ChaCha12 on all platforms.

Documentation

• Added docs about rand's use of const generics (#​1150)
• Better random chars example (#​1157)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.