Bug 29033

Summary: rust new security issues CVE-2020-36323, CVE-2021-2887[689], and CVE-2021-31162
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, ouaurelien, rverschelde, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: rust-1.49.0-1.mga8.src.rpm CVE: CVE-2020-36323, CVE-2021-2887[689], and CVE-2021-31162
Status comment:
Bug Depends on:    
Bug Blocks: 29083    

Description David Walser 2021-05-29 23:56:44 CEST 
Fedora has issued an advisory on April 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CZ337CM4GFJLRDFVQCGC7J25V65JXOG5/

The issues are fixed upstream in 1.52.0.

Mageia 7 is also affected.

Note that everything built with rust needs to be rebuilt.
David Walser 2021-05-29 23:57:00 CEST

Status comment: (none) => Fixed upstream in 1.52.0
Whiteboard: (none) => MGA7TOO

Comment 1 Rémi Verschelde 2021-05-31 15:08:24 CEST 
My plan is to update Mageia 8 to Rust 1.52.1 (which means 3 incremental rust builds from 1.49.0 to 1.52.1 then rebuild of packages using rust).

For Mageia 7 which has Rust 1.43.1, this will likely be a WONTFIX (though I'll check if there's a backportable patch).

Status: NEW => ASSIGNED

Comment 2 Rémi Verschelde 2021-05-31 23:14:30 CEST 
rust-1.52.1-1.mga8 is in mga8 core/updates_testing (finalizing upload now). I'll rebuild packages using rust tomorrow (already bumped subrel in SVN):

alacritty/  cargo-c/  dust/  firefox/  librsvg/  mozjs68/  mozjs78/  neovim-gtk/  ripgrep/ suricata/ thunderbird/
Comment 3 David Walser 2021-05-31 23:29:43 CEST 
Thanks.  I'll make sure Firefox gets built against the updated rust, so don't put another subrel on that or rebuild it again.

Thunderbird 78.11.0 should be coming very soon, so no need to fool with that for this update.

If you're rebuilding mozjs78 anyway, it would make sense to update it too.

suricata needs an update (Bug 29012) so you can leave that one alone for now.

librsvg needs a security update (Bug 29055), so it'd be cool if you could help with that one.
Comment 4 Rémi Verschelde 2021-06-01 09:24:34 CEST 
OK, leaving out firefox, thunderbird and suricata.

librsvg doesn't need an update in Mageia 8 (not vulnerable), so I'll rebuild it in this mga8 update candidate for rust.

Working on an update to mozjs78 78.11.0.

The rest has been built:

rust-1.52.1-1.mga8

alacritty-0.7.1-1.1.mga8
cargo-c-0.7.0-1.1.mga8
dust-0.5.1-1.1.mga8
librsvg-2.50.3-1.1.mga8
mozjs68-68.11.0-1.1.mga8
neovim-gtk-0.2.0-0.git20190512.2.1.mga8
ripgrep-12.1.1-1.1.mga8

Upcoming:

mozjs78-78.11.0-1.mga8
Comment 5 Rémi Verschelde 2021-06-01 11:38:09 CEST 
Update candidate for Mageia 8 below.

Didn't work on Mageia 7 for now, but as mentioned in comment 1 I probably won't, the amount of work required is not justified for these issues so close to EOL.

Advisory:
=========

Updated rust packages fix security vulnerabilities

  This Rust update to version 1.52.1 includes security fixes for CVE-2020-36323,
  CVE-2021-28876, CVE-2021-28878, CVE-2021-28879, and CVE-2021-31162.
  These are memory safety bugs in the Rust standard library. Because it is
  statically linked, affected applications will need to be rebuilt to benefit
  from the fixes. The actual security implications will depend on how these APIs
  are used in each particular case.

  This update also provides new features and bugfixes included in Rust since
  the previously packaged version 1.49.0. See the referenced release notes for
  details.

  The mozjs78 package is also updated from version 78.7.0 to 78.11.0 (ESR).

References:

 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CZ337CM4GFJLRDFVQCGC7J25V65JXOG5/
 - https://blog.rust-lang.org/2021/02/11/Rust-1.50.0.html
 - https://blog.rust-lang.org/2021/03/25/Rust-1.51.0.html
 - https://blog.rust-lang.org/2021/05/06/Rust-1.52.0.html
 - https://blog.rust-lang.org/2021/05/10/Rust-1.52.1.html

SRPMs in core/updates_testing:
==============================

rust-1.52.1-1.mga8

alacritty-0.7.1-1.1.mga8
cargo-c-0.7.0-1.1.mga8
dust-0.5.1-1.1.mga8
librsvg-2.50.3-1.1.mga8
mozjs68-68.11.0-1.1.mga8
mozjs78-78.11.0-1.mga8
neovim-gtk-0.2.0-0.git20190512.2.1.mga8
ripgrep-12.1.1-1.1.mga8

RPMs in core/updates_testing:
=============================

cargo-1.52.1-1.mga8.x86_64.rpm
cargo-doc-1.52.1-1.mga8.noarch.rpm
clippy-1.52.1-1.mga8.x86_64.rpm
rls-1.52.1-1.mga8.x86_64.rpm
rust-1.52.1-1.mga8.x86_64.rpm
rust-analysis-1.52.1-1.mga8.x86_64.rpm
rust-debugger-common-1.52.1-1.mga8.noarch.rpm
rust-doc-1.52.1-1.mga8.x86_64.rpm
rust-gdb-1.52.1-1.mga8.noarch.rpm
rust-lldb-1.52.1-1.mga8.noarch.rpm
rust-src-1.52.1-1.mga8.noarch.rpm
rust-std-static-1.52.1-1.mga8.x86_64.rpm
rustfmt-1.52.1-1.mga8.x86_64.rpm

alacritty*-0.7.1-1.1.mga8

cargo-c-0.7.0-1.1.mga8

dust-0.5.1-1.1.mga8

librsvg-2.50.3-1.1.mga8
lib64rsvg2_2-2.50.3-1.1.mga8
lib64rsvg2-devel-2.50.3-1.1.mga8
lib64rsvg-gir2.0-2.50.3-1.1.mga8

lib64mozjs78-78.11.0-1.mga8
lib64mozjs-devel-78.11.0-1.mga8

lib64mozjs68-68.11.0-1.1.mga8
lib64mozjs68-devel-68.11.0-1.1.mga8

neovim-gtk-0.2.0-0.git20190512.2.1.mga8
neovim-gtk-docs-0.2.0-0.git20190512.2.1.mga8

ripgrep*-12.1.1-1.1.mga8

Assignee: rverschelde => qa-bugs

Rémi Verschelde 2021-06-01 11:38:33 CEST

CC: (none) => rverschelde

Comment 6 Len Lawrence 2021-06-02 23:41:01 CEST 
mga8, x64

Installed all the packages and then updated them from testing.
Don't know what they all do so testing follows previous updates.

$ cargo install ripgrep --force
    Updating crates.io index
  Downloaded ripgrep v12.1.1
  Downloaded 1 crate (256.5 KB) in 0.62s
  Installing ripgrep v12.1.1
  Downloaded crossbeam-utils v0.8.5
.....

This also created directories in .cargo:
$ ls .cargo
bin/  registry

$ path | grep cargo
/home/lcl/.cargo/bin
$ ls .cargo/bin
rg*

Does this override the installed version of ripgrep?  .cargo/bin appears later in the PATH.

$ /bin/rg --version
ripgrep 12.1.1
-SIMD -AVX (compiled)
+SIMD +AVX (runtime)

$ .cargo/bin/rg --version
ripgrep 12.1.1
-SIMD -AVX (compiled)
+SIMD +AVX (runtime)

In this case the sources are probably the same anyway.
$ ll /bin/rg
-rwxr-xr-x 1 root root 4725456 Jun  1 08:17 /bin/rg*
$ ll .cargo/bin/rg
-rwxr-xr-x 1 lcl lcl 33565176 Jun  2 21:39 .cargo/bin/rg*
$ file /bin/rg
/bin/rg: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e2dd1290322f8b210e3a863630ae185f91da675b, for GNU/Linux 3.2.0, stripped
$ file .cargo/bin/rg
.cargo/bin/rg: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=1bcb2b501c2d115403ed15b799b8b67e13ad89bf, for GNU/Linux 3.2.0, with debug_info, not stripped

The point of all this is to understand if it matters for updates testing.

$ rg cargo
returned a huge list of files containing the string "cargo".

Moved to ~/qa/rust then
$ cd rust-hello_world
$ cargo run
   Compiling hello_world v0.0.1 (/home/lcl/qa/rust/rust-hello_world)
    Finished dev [unoptimized + debuginfo] target(s) in 1.67s
     Running `target/debug/hello_world`
Hello World!
I'm a Rustacean!
$ rustfmt -v src/main.rs 
Formatting /home/lcl/qa/rust/rust-hello_world/src/main.rs
Spent 0.002 secs in the parsing phase, and 0.000 secs in the formatting phase

$ rg -s -g '!.rb' cargo
Another long list, excluding ruby scripts.

$ dust -s -x qa
This locked up the machine, hitting all 20 CPU cores.
Eventually:
$  dust -s -x qa
 429M     ┌── RAW.tar                                             │                                                       █ │   2%
 445M   ┌─┴ rawtherapee                                           │                                                       █ │   2%
 614M   ├── openexr                                               │                                                      ██ │   2%
 388M   │ ┌── Destination Moon Irving Pichel, 1950-fsXVfddSF_A.mp4│                                                      ░█ │   1%
 754M   ├─┴ python3                                               │                                                      ██ │   3%
 636M   │   ┌── BUILD                                             │                                                     ▒██ │   2%
 955M   │ ┌─┴ docker                                              │                                                     ███ │   4%
 957M   ├─┴ golang                                                │                                                     ███ │   4%
.....................

This may have been hampered by remote access to an NAS driveSomething nearer to home delivered quicker results.
$ dust -s -x ./dev
  74M   ┌── python                              │                                                                       ███ │   3%
  75M   │     ┌── tutorials                     │                                                                       ███ │   3%
  75M   │   ┌─┴ run                             │                                                                       ███ │   3%
  75M   │ ┌─┴ lcl-7                             │                                                                       ███ │   3%
  75M   ├─┴ OpenFOAM                            │                                                                       ███ │   3%
 194M   │   ┌── stellarium-0.16.0-1.mga6.src.rpm│                                                               ░░░░░██████ │   7%

Giving this an OK.

CC: (none) => tarazed25

Len Lawrence 2021-06-02 23:41:16 CEST

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

David Walser 2021-06-06 19:24:14 CEST

Blocks: (none) => 29083

David Walser 2021-06-06 19:24:28 CEST

Whiteboard: MGA7TOO MGA8-64-OK => MGA8-64-OK

Comment 7 Thomas Andrews 2021-06-09 16:49:35 CEST 
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-06-12 22:20:01 CEST

CVE: (none) => CVE-2020-36323, CVE-2021-2887[689], and CVE-2021-31162
Keywords: (none) => advisory
Status comment: Fixed upstream in 1.52.0 => (none)
CC: (none) => ouaurelien

Comment 8 Mageia Robot 2021-06-13 23:34:41 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0251.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED