The Rust team has announced a security vulnerability in rust 1.27.0 and earlier: https://groups.google.com/forum/#%21topic/rustlang-security-announcements/4ybxYLTtXuM It was assigned CVE-2018-1000622. The vulnerability is fixed in rust 1.27.1, already pushed to Cauldron and now pushed to Mageia 6 core/updates_testing. Advisory: ========= Updated rust packages fix security vulnerability The Rust Programming Language rustdoc version before version 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a different user. This attack appear to be exploitable via using the --plugin flag without the --plugin-path flag. This vulnerability has been fixed in 1.27.1. Reference: - https://groups.google.com/forum/#%21topic/rustlang-security-announcements/4ybxYLTtXuM - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000622 SRPM in core/updates_testing: ============================= rust-1.27.1-1.1.mga6 RPMs in core/updates_testing: ============================= cargo-1.27.0-1.1.mga6 cargo-doc-1.27.0-1.1.mga6 rust-1.27.1-1.1.mga6 rust-analysis-1.27.1-1.1.mga6 rust-debugger-common-1.27.1-1.1.mga6 rust-doc-1.27.1-1.1.mga6 rust-gdb-1.27.1-1.1.mga6 rust-lldb-1.27.1-1.1.mga6 rust-src-1.27.1-1.1.mga6 rust-std-static-1.27.1-1.1.mga6 rls_version-0.127.0-1.1.mga6 rustfmt_version-0.6.1-1.1.mga6 Testing procedure: ================== Bug 22882 comment 1.
CVE: (none) => CVE-2018-1000622
Updated advisory: Advisory: ========= Updated rust packages fix security vulnerability The Rust Programming Language rustdoc version before version 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a different user. This attack appear to be exploitable via using the --plugin flag without the --plugin-path flag. This vulnerability has been fixed in 1.27.1 (CVE-2018-1000622). This update also fixes a bug in the borrow checker verification of match expressions. References: - https://blog.rust-lang.org/2018/07/06/security-advisory-for-rustdoc.html - https://blog.rust-lang.org/2018/07/10/Rust-1.27.1.html - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000622
Mageia 6, x86_64 Updated all the packages. Followed the test procedure in bug 22882. $ cargo install ripgrep --force Updating registry `https://github.com/rust-lang/crates.io-index` Installing ripgrep v0.8.1 Downloading log v0.4.3 [...] Downloading globset v0.4.0 Compiling void v1.0.2 [...] Compiling ignore v0.4.2 Finished release [optimized + debuginfo] target(s) in 1m 12.27s Replacing /home/lcl/.cargo/bin/rg $ ls .cargo bin/ registry/ $ ls .cargo/bin iota* rg* $ rg --version ripgrep 0.8.1 -SIMD -AVX ripgrep appears to be a pattern matching utility. For instance, in the user's Home directory: $ rg cargo ruby/gemlist 3457:cargo (0.0.1) 3458:cargowise (0.8.4) 7072:escargot (0.0.3) 14962:motr-cargo (0.0.2) text/notes.vega 2039:rice, and soya beans. Only the transport of bulk cargoes was and much more. $ cd Downloads $ rg cargo $ The include and exclude globbing options do not appear to work: $ rg --glob ruby cargo No files were searched, which means ripgrep probably applied a filter you didn't expect. Try running again with --debug. In this case the shell gets there first. $ rg --glob !ruby cargo bash: !ruby: event not found $ cd ~/qa/rust/rust-hello_world/ $ ls Cargo.toml src/ $ ls src main.rs $ cargo run Compiling hello_world v0.0.1 (file:///home/lcl/qa/rust/rust-hello_world) Finished dev [unoptimized + debuginfo] target(s) in 0.89s Running `target/debug/hello_world` Hello World! I'm a Rustacean! Noted that a directory target appeared. $ ls target/debug build/ deps/ examples/ hello_world* hello_world.d incremental/ native/ Looks like there is a problem here: $ rustfmt -v src/main.rs bash: rustfmt: command not found $ sudo updatedb $ locate rustfmt /home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/atty-0.2.10/rustfmt.toml /home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/atty-0.2.8/rustfmt.toml /home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-2.31.2/rustfmt.toml /home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-2.32.0/rustfmt.toml /home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/encoding_rs-0.7.2/rustfmt.toml /home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/gag-0.1.9/rustfmt.toml /home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/tempfile-2.2.0/rustfmt.toml /home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/textwrap-0.9.0/.rustfmt.toml Alas, discovered a PoC too late, at https://blog.rust-lang.org/2018/07/10/Rust-1.27.1.html. Replaced main.rs with this code: fn main() { let a = vec!["".to_string()]; a.iter().enumerate() .take_while(|(_, &t)| false) .collect::<Vec<_>>(); } Compiled it to generate the expected error message after the patch: ------------------------------------------------------------------------------ Compiling hello_world v0.0.1 (file:///home/lcl/qa/rust/rust-hello_world) warning: unused variable: `t` --> src/main.rs:4:31 | 4 | .take_while(|(_, &t)| false) | ^ help: consider using `_t` instead | = note: #[warn(unused_variables)] on by default error[E0507]: cannot move out of borrowed content --> src/main.rs:4:30 | 4 | .take_while(|(_, &t)| false) | ^- | || | |hint: to prevent move, use `ref t` or `ref mut t` | cannot move out of borrowed content error: aborting due to previous error For more information about this error, try `rustc --explain E0507`. error: Could not compile `hello_world`. To learn more, run the command again with --verbose. ------------------------------------------------------------------------------ This confirms that the patch works in Mageia. Withholding the OK for an explanation of the missing rustfmt command and the oddities with --glob.
CC: (none) => tarazed25
Tried installing rustfmt - that succeeded but it turns out that the command is deprecated. It can be run with the --force option. It made a slight difference to the code and kept a backup. $ rustfmt -v --force panic_not.rs $ cat panic_not.rs fn main() { let a = vec!["".to_string()]; a.iter() .enumerate() .take_while(|(_, &t)| false) .collect::<Vec<_>>(); } Tried to install the recommended rustfmt-nightly but the build failed. error[E0554]: #![feature] may not be used on the stable release channel --> /home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/rustc-ap-serialize-196.0.0/lib.rs:25:1 | 25 | #![feature(rustc_private, box_syntax)] | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ error[E0554]: #![feature] may not be used on the stable release channel --> /home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/rustc-ap-serialize-196.0.0/lib.rs:27:1 | 27 | #![feature(specialization)] | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ error[E0554]: #![feature] may not be used on the stable release channel --> /home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/rustc-ap-serialize-196.0.0/lib.rs:28:1 | 28 | #![feature(never_type)] | ^^^^^^^^^^^^^^^^^^^^^^^ error: aborting due to 4 previous errors
Looks like I gave the wrong package names for rls and rustfmt, fixed now: RPMs in core/updates_testing: ============================= cargo-1.27.0-1.1.mga6 cargo-doc-1.27.0-1.1.mga6 rust-1.27.1-1.1.mga6 rust-analysis-1.27.1-1.1.mga6 rust-debugger-common-1.27.1-1.1.mga6 rust-doc-1.27.1-1.1.mga6 rust-gdb-1.27.1-1.1.mga6 rust-lldb-1.27.1-1.1.mga6 rust-src-1.27.1-1.1.mga6 rust-std-static-1.27.1-1.1.mga6 rls-preview-0.127.0-1.1.mga6 rustfmt-preview-0.6.1-1.1.mga6 > In this case the shell gets there first. > $ rg --glob !ruby cargo > bash: !ruby: event not found In bash `!` triggers a lookup for a previous event starting with the following substring. To prevent that, you need to quote the argument: $ rg --glob '!ruby' cargo
Re comment 4. Yeah, that is what I figured but it did not work when I tried it but strangely enough it worked just now (gremlins!) and sure enough it excluded the ruby tree. So all is well. Thanks Rémi.
Whiteboard: (none) => MGA6-64-OK
Addendum: Installed the preview packages and tried rustfmt again. No problems. $ rustfmt src/main.rs $ cat src/main.rs fn main() { let a = vec!["".to_string()]; a.iter() .enumerate() .take_while(|(_, &t)| false) .collect::<Vec<_>>(); } A minor change there, from a.iter().enumerate() to what you see. $ cargo help rls error: The subcommand 'rls' wasn't recognized $ cargo install rls --force Updating registry `https://github.com/rust-lang/crates.io-index` Downloading rls v0.122.2 Installing rls v0.122.2 Compiling rls v0.122.2 Finished release [optimized] target(s) in 5.07s Installing /home/lcl/.cargo/bin/rls $ cargo help rls error: The subcommand 'rls' wasn't recognized
@Rémi apropos subcommands. Is installing a subcommand after installing a related Mageia package a legitimate procedure when the subcommand does not show up or might it lead to a version mismatch of some kind? In other words, for example, should installation of the rls-preview package have made the rls command available?
Whiteboard: MGA6-64-OK => (none)
(In reply to Len Lawrence from comment #7) cargo subcommands are those listed with `cargo --list`. Using `cargo install <pkg>` does not install a subcommand for cargo, it installs a new library or application after building it from source (a "crate"). That's what happens when you do `cargo install ripgrep`, you build and install the ripgrep application. If ripgrep was provided as a Mageia package, it would indeed conflict with it and running `rg` might run the one or the order depending on your PATH order (just like happens when installing python packages from Mageia together with pip packages). So your `cargo install rls` did not install a subcommand for cargo, but the `rls` application in `/home/lcl/.cargo/bin/rls`. Provided `~/.cargo/bin` is in your PATH, you should be able to run it with `rls`. If you install Mageia's `rls-preview`, both `/home/lcl/.cargo/bin/rls` (self installed with cargo) and `/usr/bin/rls` (from the Mageia package) will provide the same feature, albeit possibly in different versions.
Thanks Rémi. That gives a much clearer picture of what is going on. It certainly looks like we should avoid cargo install in a testing environment then. After some local cleaning up and a quick test or two this should be good to go. Later.
Removed ~/.cargo/bin from PATH and ran some commands again. $ rustfmt -v src/main.rs Formatting /home/lcl/qa/rust/rust-hello_world/src/main.rs Spent 0.001 secs in the parsing phase, and 0.000 secs in the formatting phase $ cd .cargo/bin/ $ ls cargo-fmt* iota* rg* rls* rustfmt* $ rm rustfmt rls Added /home/lcl/.cargo/bin to PATH. $ path /usr/local/bin /usr/bin /usr/local/games /usr/games /usr/lib64/qt4/bin /home/lcl/bin /home/lcl/.cargo/bin/ $ cargo list | grep rg $ "rg include" and "rg --glob '!ruby' include" worked as expected using the installed command. Note that the quotes need to be hard quotes. Double quotes allow shell access. rust is fine for 64-bits.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA6-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0318.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED