Fix RUSTSEC-2026-0002: Patch lru soundness vulnerability in iced_glyphon (#61)

* Initial plan

* Fix RUSTSEC-2026-0002: Patch lru vulnerability in iced_glyphon

Co-authored-by: doublegate <[email protected]>

* Add documentation for RUSTSEC-2026-0002 security fix

Co-authored-by: doublegate <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: doublegate <[email protected]>

Author: Copilot

Cargo.lock

@@ -107,4 +107,10 @@ strip = true
 
 [profile.bench]
 opt-level = 3
-debug = false
+debug = false
+
+# Security fix for RUSTSEC-2026-0002: IterMut violates Stacked Borrows  
+# Patch vulnerable lru 0.12.5 by replacing iced_glyphon with patched version
+# The patched version updates lru from 0.12.1 to 0.16.3 which includes the security fix
+[patch.crates-io]
+iced_glyphon = { path = "vendor/iced_glyphon" }

Cargo.toml

@@ -0,0 +1,85 @@
+# Security Fix: RUSTSEC-2026-0002
+
+## Summary
+
+Fixed a soundness vulnerability in the `lru` crate (version 0.12.5) used as a transitive dependency through `iced_glyphon`.
+
+## Vulnerability Details
+
+- **Advisory**: RUSTSEC-2026-0002
+- **Package**: `lru`
+- **Affected Versions**: 0.9.0 to 0.16.2 (inclusive)
+- **Patched Version**: 0.16.3+
+- **Severity**: Unsound (memory safety issue)
+- **Issue**: `IterMut` violates Stacked Borrows by invalidating internal pointer
+
+### Technical Description
+
+The `IterMut` iterator implementation in the vulnerable lru versions temporarily creates an exclusive reference (`&mut`) to the key when dereferencing the internal node pointer. This invalidates the shared pointer (`&`) held by the internal `HashMap`, violating Rust's Stacked Borrows rules and potentially causing undefined behavior.
+
+## Dependency Chain
+
+```
+rustirc v0.3.8
+└── rustirc-gui v0.3.8
+    └── iced v0.13.1
+        └── iced_wgpu v0.13.5
+            └── iced_glyphon v0.6.0
+                └── lru v0.12.5  ← VULNERABLE
+```
+
+## Solution Implemented
+
+Since `iced_glyphon` v0.6.0 depends on `lru ^0.12.1` and there's no newer version of `iced_glyphon` available that uses the patched lru, we implemented a vendor patch:
+
+1. **Downloaded** `iced_glyphon` v0.6.0 source code
+2. **Modified** `Cargo.toml` to update lru dependency from `0.12.1` to `0.16.3`
+3. **Vendored** the patched version in `vendor/iced_glyphon/`
+4. **Applied** Cargo patch in workspace `Cargo.toml`:
+   ```toml
+   [patch.crates-io]
+   iced_glyphon = { path = "vendor/iced_glyphon" }
+   ```
+
+## Verification
+
+Before fix:
+```
+lru v0.12.5  ← Vulnerable
+└── iced_glyphon v0.6.0
+```
+
+After fix:
+```
+lru v0.16.3  ← Patched
+└── iced_glyphon v0.6.0 (vendored)
+```
+
+## Testing
+
+- ✅ Clean build successful
+- ✅ All tests passing
+- ✅ Clippy clean (no warnings)
+- ✅ No vulnerable lru versions in dependency tree
+
+## Future Maintenance
+
+This vendor patch can be removed when:
+- `iced_glyphon` releases a version with lru 0.16.3+
+- Upgrading to iced 0.14+ (which may use different text rendering)
+- Switching to `cryoglyph` (iced-rs fork with updated dependencies)
+
+## References
+
+- RustSec Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0002
+- GitHub Advisory: https://github.com/advisories/GHSA-rhfx-m35p-ff5j
+- lru-rs Fix PR: https://github.com/jeromefroe/lru-rs/pull/224
+- Affected Package: https://crates.io/crates/lru/0.12.5
+- Patched Package: https://crates.io/crates/lru/0.16.3
+
+## Files Modified
+
+- `Cargo.toml`: Added `[patch.crates-io]` section
+- `Cargo.lock`: Updated lru dependency to 0.16.3
+- `vendor/`: Added patched iced_glyphon source
+- `vendor/README.md`: Documentation for vendored dependencies

SECURITY-FIX-RUSTSEC-2026-0002.md

@@ -0,0 +1,22 @@
+# Vendored Dependencies
+
+This directory contains vendored copies of dependencies that have been patched for security or compatibility reasons.
+
+## iced_glyphon
+
+**Reason**: Security patch for RUSTSEC-2026-0002  
+**Original version**: 0.6.0  
+**Issue**: The original iced_glyphon 0.6.0 depends on lru 0.12.5, which contains a soundness bug where `IterMut` violates Stacked Borrows by invalidating internal pointers.
+
+**Changes made**:
+- Updated `lru` dependency from 0.12.1 to 0.16.3 in Cargo.toml
+
+**Affected versions**: lru 0.9.0 - 0.16.2  
+**Fixed version**: lru 0.16.3+
+
+**Upstream tracking**:
+- RustSec Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0002
+- lru-rs PR #224: https://github.com/jeromefroe/lru-rs/pull/224
+- iced_glyphon issue: https://github.com/hecrj/glyphon (no newer version available yet)
+
+**Future**: This patch can be removed once iced_glyphon releases a version that depends on lru 0.16.3 or higher, or when upgrading to iced 0.14+ which may use a different text rendering backend.

vendor/README.md

@@ -0,0 +1,6 @@
+{
+  "git": {
+    "sha1": "647575039c86faf21518c3064f9dde2dacf16db7"
+  },
+  "path_in_vcs": ""
+}

vendor/iced_glyphon/.cargo_vcs_info.json

@@ -0,0 +1 @@
+github: [grovesNL]

vendor/iced_glyphon/.github/FUNDING.yml

@@ -0,0 +1,21 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Build
+        run: cargo build --verbose
+      - name: Run tests
+        run: cargo test --verbose

vendor/iced_glyphon/.github/workflows/ci.yml

@@ -0,0 +1,3 @@
+/target
+.vscode
+Cargo.lock

vendor/iced_glyphon/.gitignore

@@ -0,0 +1,62 @@
+# THIS FILE IS AUTOMATICALLY GENERATED BY CARGO
+#
+# When uploading crates to the registry Cargo will automatically
+# "normalize" Cargo.toml files for maximal compatibility
+# with all versions of Cargo and also rewrite `path` dependencies
+# to registry (e.g., crates.io) dependencies.
+#
+# If you are reading this file be aware that the original Cargo.toml
+# will likely look very different (and much more reasonable).
+# See Cargo.toml.orig for the original contents.
+
+[package]
+edition = "2021"
+name = "iced_glyphon"
+version = "0.6.0"
+build = false
+autobins = false
+autoexamples = false
+autotests = false
+autobenches = false
+description = "Fast, simple 2D text rendering for wgpu"
+homepage = "https://github.com/hecrj/glyphon.git"
+readme = "README.md"
+license = "MIT OR Apache-2.0 OR Zlib"
+repository = "https://github.com/hecrj/glyphon"
+
+[lib]
+name = "iced_glyphon"
+path = "src/lib.rs"
+
+[[example]]
+name = "hello-world"
+path = "examples/hello-world.rs"
+
+[dependencies.cosmic-text]
+version = "0.12"
+
+[dependencies.etagere]
+version = "0.2.10"
+
+[dependencies.lru]
+version = "0.16.3"
+default-features = false
+
+[dependencies.rustc-hash]
+version = "2.0"
+
+[dependencies.wgpu]
+version = "0.19"
+features = ["wgsl"]
+default-features = false
+
+[dev-dependencies.pollster]
+version = "0.3.0"
+
+[dev-dependencies.wgpu]
+version = "0.19"
+default-features = true
+
+[dev-dependencies.winit]
+version = "0.29.10"
+features = ["rwh_05"]