Summary
tch currently pins rand = "0.8" in its Cargo.toml. The latest affected release of rand (0.8.5) is now flagged by RUSTSEC-2026-0097 as unsound, which causes cargo deny check to fail for any downstream consumer of tch.
Would you be open to a PR bumping rand to 0.9.3 (minimum fix version) or 0.10.1+?
Advisory
The advisory's unsound-UB trigger conditions (custom log logger + rand::rng() called from inside the logger + ThreadRng reseed + trace-level logging) are not reachable via tch's internal rand usage, so this is not exploitable in practice. But cargo deny check is strict-by-default and flags any affected version in the graph.
Scope of the upgrade in tch
I audited the rand surface area in this repo via GitHub code search:
-
Root Cargo.toml: one line — rand = "0.8".
-
Library usage (src/vision/dataset.rs): five call sites, all in the data-augmentation helpers (random_flip, random_crop, random_cutout):
// line 4
use rand::Rng;
// line 37
let src = if rand::random() { t_view } else { t_view.flip([2]) };
// lines 57–58
let start_w = rand::thread_rng().gen_range(0..2 * pad);
let start_h = rand::thread_rng().gen_range(0..2 * pad);
// lines 75–76
let start_h = rand::thread_rng().gen_range(0..size[2] - sz + 1);
let start_w = rand::thread_rng().gen_range(0..size[3] - sz + 1);
-
Examples (examples/translation/main.rs): one call site. Can migrate alongside the library or stay behind since examples aren't part of the published crate.
The rand 0.9 migration for these is mechanical and documented in rand's MIGRATION.md:
| 0.8 |
0.9 |
rand::thread_rng() |
rand::rng() |
Rng::gen_range(a..b) |
Rng::random_range(a..b) |
rand::random() |
rand::random() (still works; sometimes needs a turbofish in ambiguous contexts) |
use rand::Rng; |
(unchanged) |
Nothing else touches rand directly in the tch crate itself. torch-sys has no rand dep that I can see. I expect the whole change to be ~5–10 lines plus the Cargo.toml bump.
Offer
I'm happy to open a PR if one would be welcome — please say the word and I'll send one that covers src/vision/dataset.rs, Cargo.toml, and optionally the translation example. Alternatively, if you'd rather do it yourselves, no pressure — filing this so the advisory is at least visible in your tracker.
Thanks for maintaining tch-rs — it's been rock solid for us.
Summary
tchcurrently pinsrand = "0.8"in itsCargo.toml. The latest affected release ofrand(0.8.5) is now flagged by RUSTSEC-2026-0097 as unsound, which causescargo deny checkto fail for any downstream consumer oftch.Would you be open to a PR bumping
randto0.9.3(minimum fix version) or0.10.1+?Advisory
rand >= 0.7, < 0.9.3and0.10.0logrust-random/rand#1763The advisory's unsound-UB trigger conditions (custom
loglogger +rand::rng()called from inside the logger +ThreadRngreseed + trace-level logging) are not reachable viatch's internal rand usage, so this is not exploitable in practice. Butcargo deny checkis strict-by-default and flags any affected version in the graph.Scope of the upgrade in
tchI audited the rand surface area in this repo via GitHub code search:
Root
Cargo.toml: one line —rand = "0.8".Library usage (
src/vision/dataset.rs): five call sites, all in the data-augmentation helpers (random_flip,random_crop,random_cutout):Examples (
examples/translation/main.rs): one call site. Can migrate alongside the library or stay behind since examples aren't part of the published crate.The rand 0.9 migration for these is mechanical and documented in rand's
MIGRATION.md:rand::thread_rng()rand::rng()Rng::gen_range(a..b)Rng::random_range(a..b)rand::random()rand::random()(still works; sometimes needs a turbofish in ambiguous contexts)use rand::Rng;Nothing else touches rand directly in the
tchcrate itself.torch-syshas noranddep that I can see. I expect the whole change to be ~5–10 lines plus the Cargo.toml bump.Offer
I'm happy to open a PR if one would be welcome — please say the word and I'll send one that covers
src/vision/dataset.rs,Cargo.toml, and optionally the translation example. Alternatively, if you'd rather do it yourselves, no pressure — filing this so the advisory is at least visible in your tracker.Thanks for maintaining tch-rs — it's been rock solid for us.