| Summary: | rust new security issue CVE-2022-21658 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, rverschelde, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | rust-1.56.1-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-01-20 19:32:00 CET
David Walser
2022-01-20 19:32:12 CET
Whiteboard:
(none) =>
MGA8TOO
Rémi Verschelde
2022-01-20 22:53:34 CET
Status:
NEW =>
ASSIGNED openSUSE has issued an advisory for this today (January 21): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JWT2GLRS2EG6EW7X57X2RMJHMFK6GEWU/ Fedora has issued an advisory for this today (January 25): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/ rust-1.58.1-1.mga9 pushed to Cauldron which fixes it. Will prepare the update for Mageia 8 (current at 1.56.1, so need to build 1.57 first then 1.58.1). Whiteboard:
MGA8TOO =>
(none) Updated to 1.57.0 and then patched for the CVE by Rémi. Rémi, can we get a release notes reference for 1.57.0? Package list: rust-1.57.0-1.1.mga8 rust-std-static-1.57.0-1.1.mga8 rust-src-1.57.0-1.1.mga8 rls-1.57.0-1.1.mga8 rust-analysis-1.57.0-1.1.mga8 cargo-1.57.0-1.1.mga8 rustfmt-1.57.0-1.1.mga8 rust-lldb-1.57.0-1.1.mga8 rust-gdb-1.57.0-1.1.mga8 rust-debugger-common-1.57.0-1.1.mga8 cargo-doc-1.57.0-1.1.mga8 clippy-1.57.0-1.1.mga8 rust-doc-1.57.0-1.1.mga8 from rust-1.57.0-1.1.mga8.src.rpm Source RPM:
rust-1.57.0-1.mga9.src.rpm =>
rust-1.56.1-1.mga8.src.rpm mga8, x64 Updated all packages and followed tests from bug 29616. $ cd qa/rust/rust-hello_world $ cargo build Compiling hello_world v0.0.1 (/home/lcl/qa/rust/rust-hello_world) Finished dev [unoptimized + debuginfo] target(s) in 2.14s $ cargo run Finished dev [unoptimized + debuginfo] target(s) in 0.05s Running `target/debug/hello_world` Hello World! I'm a Rustacean! Tried a snippet lying around which appears to contain a deliberate error. $ cat panic_not.rs fn main() { let a = vec!["".to_string()]; a.iter() .enumerate() .take_while(|(_, &t)| false) .collect::<Vec<_>>(); } Copied panic_not.rs to main.rs in the src directory and then $ cargo run Compiling panic_not v0.0.1 (/home/lcl/qa/rust/panic_not) warning: unused variable: `t` --> src/main.rs:5:27 | 5 | .take_while(|(_, &t)| false) | ^ help: if this is intentional, prefix it with an underscore: `_t` | = note: `#[warn(unused_variables)]` on by default error[E0507]: cannot move out of a shared reference --> src/main.rs:5:22 | 5 | .take_while(|(_, &t)| false) | ^^^^^-^ | | | data moved here | move occurs because `t` has type `String`, which does not implement the `Copy` trait For more information about this error, try `rustc --explain E0507`. warning: `panic_not` (bin "panic_not") generated 1 warning error: could not compile `panic_not` due to previous error; 1 warning emitted <This shows how rust copes with a valid error $ rustc --explain E0507 <It does that OK> $ rg -help <works> $ rg -s cargo . ./failure 4:error: failed to compile `rustfmt-nightly v0.8.3`, intermediate artifacts can be found at `/tmp/cargo-installwZm5ug` <Other searches at different relative directory levels worked as well> $ rg --version ripgrep 12.1.1 -SIMD -AVX (compiled) +SIMD +AVX (runtime) $ cargo install ripgrep --force Updating crates.io index <which took a while> <lots of compiling....> Compiling ignore v0.4.18 Compiling ripgrep v13.0.0 Compiling grep-printer v0.1.6 Compiling grep v0.2.8 Finished release [optimized + debuginfo] target(s) in 1m 13s Replacing /home/lcl/.cargo/bin/rg Replaced package `ripgrep v12.1.1` with `ripgrep v13.0.0` (executable `rg`) Using clippy requires a bit more research so giving this an OK. CC:
(none) =>
tarazed25 Advisory: ========= Updated rust packages fix security vulnerability This update provides Rust 1.57.0 as a feature and bugfix update. See the release notes for details. The `std::fs::remove_dir_all` standard library function was vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete (CVE-2022-21658). This vulnerability was fixed by patching Rust 1.57.0. References: - https://blog.rust-lang.org/2021/12/02/Rust-1.57.0.html - https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html - https://github.com/rust-lang/wg-security-response/tree/master/patches/CVE-2022-21658 SRPM in core/updates_testing: ============================= rust-1.57.0-1.1.mga8 RPMs listed in comment 4. Validating. Advisory in Comment 6 CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-02-02 20:34:14 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0044.html Resolution:
(none) =>
FIXED |