Update Rust crate diesel to v2.3.8 [SECURITY]

[oxide-renovate]

This PR contains the following updates:

Package	Type	Update	Change
diesel (source)	workspace.dependencies	patch	2.3.7 → 2.3.8

---

Diesel's SQLite backend has possible UTF-8 corruption

GHSA-h5x4-m2qf-r4f2

More information

Details

Diesel uses the sqlite3_value_text function to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as *const c_char. Based on that we used str::from_utf8_unchecked to construct a Rust string slice without any additional UTF-8 checks in place. It turned out that this function doesn't always return correct UTF-8 strings. For field of the SQLite side storage type BLOB this pointer can contain arbitrary bytes, which makes the usage of str::from_utf8_unchecked unsound as this violates the safety contract of str to only contain valid UTF-8 encoded Strings.

Mitigation

The preferred mitigation to the outlined problem is to update to a Diesel version 2.3.8 or newer, which includes fixes for the problem.

Resolution

Diesel now correctly checks whether the provides byte buffer is actually valid UTF-8, instead of relying on SQLite's documentation. This fix is included in the 2.3.8 release.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/diesel-rs/diesel/pull/5042
• https://rustsec.org/advisories/RUSTSEC-2026-0111.html
• https://github.com/advisories/GHSA-h5x4-m2qf-r4f2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Diesel: Possible unaligned data access for implementations of SqliteAggregate

GHSA-q8x8-jrhj-fh9p

More information

Details

Diesel allows to register custom aggregate SQL functions for SQLite via the SqliteAggregate interface.

To store an instance of the custom aggregate processor Diesel relied on the sqlite3_aggregate_context function provided by sqlite. This function doesn't provide any guarantees about alignment of the returned allocation, which in turn can lead to problems if the type implementing requires a special alignment, e.g. via a custom #[align(x)] attribute on the type implementing this trait. This affects any user of SqliteAggregate that registers the custom aggregate function with an SQLite connection, while using a non-standard alignment on the type implementing this trait.

Mitigation

The preferred mitigation to the outlined problem is to update to a Diesel version 2.3.8 or newer, which includes fixes for the problem.

Resolution

Diesel now allocates the corresponding memory on Rust side to get a correctly aligned allocation.

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References

• https://github.com/diesel-rs/diesel/pull/5042
• https://rustsec.org/advisories/RUSTSEC-2026-0137.html
• https://github.com/advisories/GHSA-q8x8-jrhj-fh9p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Diesel: Command injection in Diesel's implementation of COPY FROM/COPY TO

GHSA-m9p2-fxp5-v3fp

More information

Details

Diesel allows users to configure various options for PostgreSQL's COPY FROM and COPY TO statements. These configurations are partially provided as strings or characters.

Diesel did not check if any these user-provided options contain a quote character ', which can lead to the injection of additional options in the current COPY FROM/COPY TO statement.

This vulnerability affects any user of COPY FROM/COPY TO that passes user-provided input to any of the affected functions. It can result in modifications of options in the current statement, but it is not possible inject additional statements.

Mitigation

The preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.

Resolution

Diesel now correctly escapes any quotes contained in the provided arguments.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/diesel-rs/diesel/pull/5042
• https://rustsec.org/advisories/RUSTSEC-2026-0136.html
• https://github.com/advisories/GHSA-m9p2-fxp5-v3fp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

diesel-rs/diesel (diesel)

v2.3.8

Compare Source

• Added support for libsqlite3-sys 0.37.0
• Raise a compile-time error when mixing aggregate and non-aggregate expressions in an ORDER BY clause without a GROUP BY clause
• Calling .count() or .select(aggregate_expr) on a query that already has a non-aggregate .order_by() clause now raises a compile-time error instead of generating invalid SQL that would be rejected by the database at runtime (fixes #​3815)
• Added documentation for migration transaction behaviour at the crate root
• Improved compile time error messages for #[derive(AsChangeset)]
• Allow to use generic types in infix_operator!()
• Fixes for several instances of unsound, unspecified or otherwise dangerous behaviour:
  • Unsound string construction in SqliteValue::read_text/FromSql<Text, Sqlite> for String
  • Invalid alignment for over aligned data in SqliteConnection::register_function for aggregate functions
  • Potential memory leaks in SqliteConnection::register_function
  • Access to padding bytes while serializing Date/time types in the Mysql backend
  • SQL Option Injection in PostgreSQL COPY FROM/TO
  • Unspecified pointer cast in Debug/Display implementation of batch INSERT statements for SQLite
  • Invalid call order of SQLite API functions in SqliteValue::read_text/FromSql<Text, Sqlite> for String/SqliteValue::read_blob()/FromSql<Binary, Sqlite> for Vec<u8>
  • Potential unsound pointer access for FromSql<Binary, _> for Vec<u8> and FromSql<Text, _> for String for third party backends (requires changes to the third party backend as well)

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • ""
• Automerge
  • "after 8pm,before 6am"

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[iliana]

Omicron does not use Diesel's SQLite backend. Dismissed https://github.com/oxidecomputer/omicron/security/dependabot/102.

Keeping open in case we want to merge an update anyway.