Skip to content

fix(deps): update Wasmtime 29.0.1 to 36.0.12 for RUSTSEC-2026-0096 (ARN-169)#345

Open
rita-aga wants to merge 2 commits into
mainfrom
claude/arn-169-wasmtime-36
Open

fix(deps): update Wasmtime 29.0.1 to 36.0.12 for RUSTSEC-2026-0096 (ARN-169)#345
rita-aga wants to merge 2 commits into
mainfrom
claude/arn-169-wasmtime-36

Conversation

@rita-aga

@rita-aga rita-aga commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Closes ARN-169 under epic ARN-165. Draft for review — do not merge.

What

Update wasmtime and wasmtime-wasi from 29.0.1 to 36.0.12 to close RUSTSEC-2026-0096 (CVSS 9.0, AArch64 Cranelift miscompile enabling a WASM sandbox escape) and the other Wasmtime advisories affecting the prior dependency line.

Wasmtime 46.0.1 was evaluated and rejected because it requires Rust 1.94, while this workspace declares Rust 1.92. The fix for RUSTSEC-2026-0096 was backported in Wasmtime 36.0.7; 36.0.12 is the newest compatible patched release on that line. ADR-0159 records the decision and rejected alternatives.

Changes

  • Pin wasmtime and wasmtime-wasi to 36.0.12.
  • Update MemoryOutputPipe to the 36.x wasmtime_wasi::p2::pipe path.
  • Preserve the existing per-invocation store, fuel budget, epoch deadline, memory limiter, and WASIp1 isolation.
  • Add adversarial coverage for memory-growth denial, initial over-budget instantiation, and an actual WASIp1 fd_write compile/invoke path.

Verification

  • GitHub Actions is fully green for commit 0c345290 across compile/lint, workspace tests, DST shards, verification, instrumentation, and integrity gates.
  • The Wasmtime advisory is absent from the updated lockfile audit.
  • Sandbox invariant and WASIp1 end-to-end tests pass.
  • Lockfile movement was generated as a targeted Wasmtime dependency update; unrelated advisory families remain tracked separately under ARN-165.

Scope

Temper kernel only. This PR does not claim to close the independent WASM host/stream-capability findings ARN-207 and ARN-208.

Greptile Summary

Updates wasmtime and wasmtime-wasi from 29.0.1 to 36.0.12 to remediate RUSTSEC-2026-0096 (CVSS 9.0 AArch64 Cranelift sandbox escape) and 18 other advisories, with 46.0.1 rejected because it requires Rust 1.94 — above the workspace's declared 1.92 MSRV. The only host-side API change is the relocation of MemoryOutputPipe from wasmtime_wasi::pipe to wasmtime_wasi::p2::pipe; all sandbox controls (per-invocation store, fuel, epoch, memory limiter, WASIp1 isolation) are preserved verbatim.

  • engine/mod.rs: single import-path fix for MemoryOutputPipe; all Config, Store, Linker, ResourceLimiter call sites are unchanged.
  • tests/sandbox.rs: three new targeted tests — memory-growth denial (now stricter: WAT traps if memory.grow does not return −1), over-budget initial-memory rejection at instantiation, and a WASIp1 fd_write end-to-end smoke test via the updated pipe path.
  • docs/adrs/0159-wasmtime-36-security-update.md: decision record covering the full advisory set, MSRV rationale, API migration table, and rollback procedure.

Confidence Score: 5/5

Safe to merge — the host-side code change is a single import path fix, all sandbox controls are preserved, and CI is green.

The only functional change in the host code is one import path for MemoryOutputPipe; the surrounding fuel, epoch, memory limiter, and per-invocation store logic is byte-for-byte identical to what was there before. The lockfile movement is confined to the Wasmtime/Cranelift/pulley closure, and the new tests are stricter than the ones they replace.

No files require special attention. The ADR, tests, and Cargo pins are all internally consistent.

Important Files Changed

Filename Overview
crates/temper-wasm/src/engine/mod.rs Single-line import path fix: wasmtime_wasi::pipe::MemoryOutputPipewasmtime_wasi::p2::pipe::MemoryOutputPipe. All surrounding sandbox logic (store creation, fuel, epoch deadline, memory limiter) is untouched.
crates/temper-wasm/src/engine/tests/sandbox.rs New sandbox regression tests. WAT iovec structure for fd_write is correctly constructed (iov at 0–7, data at 32, nwritten ptr at 16). The memory-grow WAT now actively traps on unexpected growth success, making the assertion stronger than the removed test.
Cargo.toml Wasmtime and wasmtime-wasi pins updated from "29" to "36.0.12". Caret semantics allow >=36.0.12 <37 but the lockfile fixes the exact resolved version, so the constraint is effectively precise for the current build.
Cargo.lock Lockfile updated for the Wasmtime/Cranelift/pulley dependency closure. Duplicate version entries for addr2line, gimli, object, dirs resolved down to single entries, consistent with a targeted update rather than a broad lockfile churn.
crates/temper-wasm/src/engine/tests/mod.rs Renamed from tests.rs to tests/mod.rs; adds mod sandbox;. Removed old WAT_MEMORY_GROW constant and weaker memory_growth_denied_by_limiter test, both superseded by the stricter versions in sandbox.rs.
docs/adrs/0159-wasmtime-36-security-update.md Well-structured ADR covering context, decision rationale (including 44.x still affected by RUSTSEC-2026-0188, 46.x MSRV incompatibility), API migration table, DST compliance note, remaining outstanding advisories, and rollback procedure.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Host as temper-wasm host
    participant Engine as WasmEngine
    participant Store as Store (per-invocation)
    participant Limiter as MemoryLimiter
    participant WASI as WasiCtxBuilder (p2::pipe)
    participant Guest as WASM Guest

    Host->>Engine: compile_and_cache(wasm_bytes)
    Engine->>Engine: detect needs_wasi (wasi_snapshot_preview1 import)
    alt needs_wasi
        Engine->>WASI: link preview1::add_to_linker_sync
        Engine->>Engine: cache instance_pre_wasi
    else no WASI
        Engine->>Engine: cache instance_pre
    end

    Host->>Engine: invoke(hash, context, limits)
    Engine->>Store: Store::new(engine, host_state)
    Engine->>Store: set_fuel(limits.max_fuel)
    Engine->>Store: "limiter(MemoryLimiter { max_memory })"
    Engine->>Store: set_epoch_deadline(ticks)

    alt needs_wasi
        Engine->>WASI: MemoryOutputPipe::new (p2::pipe path in 36.x)
        Engine->>WASI: WasiCtxBuilder::new().stderr(pipe).build_p1()
    end

    Engine->>Store: "instance_pre.instantiate(&mut store)"
    Store->>Limiter: memory_growing(current, desired, max)?
    Limiter-->>Store: Ok(true) or Ok(false) / Instantiation error

    Engine->>Guest: run_fn.call(ctx_ptr, ctx_len)
    Guest-->>Engine: result_ptr or trap
    note over Engine,Guest: Fuel / epoch deadline enforced by Wasmtime 36.x
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Host as temper-wasm host
    participant Engine as WasmEngine
    participant Store as Store (per-invocation)
    participant Limiter as MemoryLimiter
    participant WASI as WasiCtxBuilder (p2::pipe)
    participant Guest as WASM Guest

    Host->>Engine: compile_and_cache(wasm_bytes)
    Engine->>Engine: detect needs_wasi (wasi_snapshot_preview1 import)
    alt needs_wasi
        Engine->>WASI: link preview1::add_to_linker_sync
        Engine->>Engine: cache instance_pre_wasi
    else no WASI
        Engine->>Engine: cache instance_pre
    end

    Host->>Engine: invoke(hash, context, limits)
    Engine->>Store: Store::new(engine, host_state)
    Engine->>Store: set_fuel(limits.max_fuel)
    Engine->>Store: "limiter(MemoryLimiter { max_memory })"
    Engine->>Store: set_epoch_deadline(ticks)

    alt needs_wasi
        Engine->>WASI: MemoryOutputPipe::new (p2::pipe path in 36.x)
        Engine->>WASI: WasiCtxBuilder::new().stderr(pipe).build_p1()
    end

    Engine->>Store: "instance_pre.instantiate(&mut store)"
    Store->>Limiter: memory_growing(current, desired, max)?
    Limiter-->>Store: Ok(true) or Ok(false) / Instantiation error

    Engine->>Guest: run_fn.call(ctx_ptr, ctx_len)
    Guest-->>Engine: result_ptr or trap
    note over Engine,Guest: Fuel / epoch deadline enforced by Wasmtime 36.x
Loading

Reviews (4): Last reviewed commit: "fix(wasm): update Wasmtime security base..." | Re-trigger Greptile

…ox escape)

Closes the CVSS 9.0 aarch64 Cranelift miscompilation (RUSTSEC-2026-0096)
that let a WASM guest escape its linear-memory sandbox, plus ~18 other
wasmtime / wasmtime-wasi advisories, by bumping wasmtime and wasmtime-wasi
29.0.1 → 46.0.1 (latest; workspace MSRV 1.92 / toolchain nightly 1.95).

The only source break is the wasmtime-34 wasmtime-wasi module reorg
(preview1 -> p1, pipe -> p2::pipe); five path renames in
temper-wasm/src/engine/mod.rs. The core embedding API is unchanged and no
sandbox control is weakened: per-invocation fresh Store, fuel budget, epoch
wall-clock timeout, memory limiter, and WASI with no preopened dirs / no
inherited env / no network (in-memory stderr pipe only).

Also clears advisories reachable by a safe lockfile-only bump:
postgres-protocol 0.6.12, tokio-postgres 0.7.18, quinn-proto 0.11.16,
crossbeam-epoch 0.9.20, rustls-webpki 0.103.13.

cargo audit: 37 -> 9 vulnerabilities; all 19 wasmtime/wasmtime-wasi
advisories cleared. Remaining 9 have no safe bump here (rsa, tokio-tar: no
fix; protobuf via pprof, rustls-webpki 0.102 via libsql: upstream-pinned;
quick-xml: needs a temper-spec CSDL parser migration) and are tracked as
follow-ups in ADR-0158.

Refs ARN-169.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@rita-aga rita-aga marked this pull request as ready for review July 7, 2026 07:38
@rita-aga

rita-aga commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator Author

@greptile review

@rita-aga

Copy link
Copy Markdown
Collaborator Author

ARN-165 principle audit — request changes / scope incomplete

The dependency upgrade is worthwhile, but it does not meet ARN-169's “clear advisories in both repos” acceptance criteria.

Audit evidence

  • Temper current main (a28fdb2e): 37 vulnerabilities, 5 unmaintained advisories, 5 unsound advisories.
  • This branch reduces Temper to 9 vulnerabilities, but still reports protobuf, both quick-xml DoS advisories, RSA, four rustls-webpki advisories, and tokio-tar.
  • TemperPaw current main still reports 29 vulnerabilities, 5 unmaintained, and 3 unsound advisories. This PR does not change that repository.

Required before closure

  1. Rebase this behind branch onto current main and rerun the complete workspace, sandbox, and cargo audit gates.
  2. Complete or explicitly split the remaining kernel advisories with owners and non-punted acceptance dates.
  3. Land the compatible TemperPaw dependency update and produce clean/accepted audit reports for both lockfiles.
  4. Exercise actual WASM compile/invoke/resource-limit behavior after the Wasmtime jump, not only ordinary unit tests.

This upgrade also does not address the independent raw-host/stream-capability sandbox findings in ARN-207/208. Please narrow the title if those deliverables are intentionally moved to separate PRs.

@greptile-apps greptile-apps Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rita-aga has reached the 50-credit limit for trial accounts. To continue receiving code reviews, upgrade your plan.

@nerdsane

Copy link
Copy Markdown
Owner

@greptile review

@greptile-apps greptile-apps Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rita-aga has reached the 50-credit limit for trial accounts. To continue receiving code reviews, upgrade your plan.

@nerdsane

Copy link
Copy Markdown
Owner

@greptile review

Comment thread Cargo.toml
@nerdsane nerdsane changed the title fix(deps): bump wasmtime 29→46 — close RUSTSEC-2026-0096 CVSS 9.0 (ARN-169) fix(deps): update Wasmtime 29.0.1 to 36.0.12 for RUSTSEC-2026-0096 (ARN-169) Jul 10, 2026
@nerdsane

Copy link
Copy Markdown
Owner

@greptile review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants