Bug 23328 - rust new security issue CVE-2018-1000622
Summary: rust new security issue CVE-2018-1000622
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-07-18 14:09 CEST by Rémi Verschelde
Modified: 2018-07-24 00:29 CEST (History)
2 users (show)

See Also:
Source RPM: rust-1.27.0-1.mga6
CVE: CVE-2018-1000622
Status comment:


Attachments

Description Rémi Verschelde 2018-07-18 14:09:43 CEST
The Rust team has announced a security vulnerability in rust 1.27.0 and earlier: https://groups.google.com/forum/#%21topic/rustlang-security-announcements/4ybxYLTtXuM

It was assigned CVE-2018-1000622.

The vulnerability is fixed in rust 1.27.1, already pushed to Cauldron and now pushed to Mageia 6 core/updates_testing.


Advisory:
=========

Updated rust packages fix security vulnerability

  The Rust Programming Language rustdoc version before version 1.27.0 contains
  a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins
  that can result in local code execution as a different user. This attack
  appear to be exploitable via using the --plugin flag without the --plugin-path 
  flag. This vulnerability has been fixed in 1.27.1.

Reference:

 - https://groups.google.com/forum/#%21topic/rustlang-security-announcements/4ybxYLTtXuM
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000622


SRPM in core/updates_testing:
=============================

rust-1.27.1-1.1.mga6

RPMs in core/updates_testing:
=============================

cargo-1.27.0-1.1.mga6
cargo-doc-1.27.0-1.1.mga6

rust-1.27.1-1.1.mga6
rust-analysis-1.27.1-1.1.mga6
rust-debugger-common-1.27.1-1.1.mga6
rust-doc-1.27.1-1.1.mga6
rust-gdb-1.27.1-1.1.mga6
rust-lldb-1.27.1-1.1.mga6
rust-src-1.27.1-1.1.mga6
rust-std-static-1.27.1-1.1.mga6

rls_version-0.127.0-1.1.mga6

rustfmt_version-0.6.1-1.1.mga6


Testing procedure:
==================

Bug 22882 comment 1.
Rémi Verschelde 2018-07-18 14:09:59 CEST

CVE: (none) => CVE-2018-1000622

Comment 1 Rémi Verschelde 2018-07-18 14:13:36 CEST
Updated advisory:

Advisory:
=========

Updated rust packages fix security vulnerability

  The Rust Programming Language rustdoc version before version 1.27.0 contains
  a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins
  that can result in local code execution as a different user. This attack
  appear to be exploitable via using the --plugin flag without the --plugin-path 
  flag. This vulnerability has been fixed in 1.27.1 (CVE-2018-1000622).

  This update also fixes a bug in the borrow checker verification of match
  expressions.

References:

 - https://blog.rust-lang.org/2018/07/06/security-advisory-for-rustdoc.html
 - https://blog.rust-lang.org/2018/07/10/Rust-1.27.1.html
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000622
Comment 2 Len Lawrence 2018-07-19 00:55:33 CEST
Mageia 6, x86_64

Updated all the packages.
Followed the test procedure in bug 22882.

$ cargo install ripgrep --force
    Updating registry `https://github.com/rust-lang/crates.io-index`
  Installing ripgrep v0.8.1
Downloading log v0.4.3
[...]
 Downloading globset v0.4.0                                                     
   Compiling void v1.0.2                                                        
[...]
   Compiling ignore v0.4.2
    Finished release [optimized + debuginfo] target(s) in 1m 12.27s
   Replacing /home/lcl/.cargo/bin/rg

$ ls .cargo
bin/  registry/
$ ls .cargo/bin
iota*  rg*
$ rg --version
ripgrep 0.8.1
-SIMD -AVX

ripgrep appears to be a pattern matching utility.
For instance, in the user's Home directory:
$ rg cargo
ruby/gemlist
3457:cargo (0.0.1)
3458:cargowise (0.8.4)
7072:escargot (0.0.3)
14962:motr-cargo (0.0.2)

text/notes.vega
2039:rice, and soya beans.  Only the transport of bulk cargoes was

and much more.

$ cd Downloads
$ rg cargo
$

The include and exclude globbing options do not appear to work:
$ rg --glob ruby cargo
No files were searched, which means ripgrep probably applied a filter you didn't expect. Try running again with --debug.

In this case the shell gets there first.
$ rg --glob !ruby cargo
bash: !ruby: event not found

$ cd ~/qa/rust/rust-hello_world/
$ ls
Cargo.toml  src/
$ ls src
main.rs
$ cargo run
   Compiling hello_world v0.0.1 (file:///home/lcl/qa/rust/rust-hello_world)
    Finished dev [unoptimized + debuginfo] target(s) in 0.89s
     Running `target/debug/hello_world`
Hello World!
I'm a Rustacean!

Noted that a directory target appeared.
$ ls target/debug
build/  deps/  examples/  hello_world*  hello_world.d  incremental/  native/

Looks like there is a problem here:
$ rustfmt -v src/main.rs
bash: rustfmt: command not found
$ sudo updatedb
$ locate rustfmt
/home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/atty-0.2.10/rustfmt.toml
/home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/atty-0.2.8/rustfmt.toml
/home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-2.31.2/rustfmt.toml
/home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-2.32.0/rustfmt.toml
/home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/encoding_rs-0.7.2/rustfmt.toml
/home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/gag-0.1.9/rustfmt.toml
/home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/tempfile-2.2.0/rustfmt.toml
/home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/textwrap-0.9.0/.rustfmt.toml

Alas, discovered a PoC too late, at https://blog.rust-lang.org/2018/07/10/Rust-1.27.1.html.
Replaced main.rs with this code:
fn main() {
    let a = vec!["".to_string()];
    a.iter().enumerate()
            .take_while(|(_, &t)| false)
            .collect::<Vec<_>>();
}

Compiled it to generate the expected error message after the patch:
------------------------------------------------------------------------------
Compiling hello_world v0.0.1 (file:///home/lcl/qa/rust/rust-hello_world)
warning: unused variable: `t`
 --> src/main.rs:4:31
  |
4 |             .take_while(|(_, &t)| false)
  |                               ^ help: consider using `_t` instead
  |
  = note: #[warn(unused_variables)] on by default

error[E0507]: cannot move out of borrowed content
 --> src/main.rs:4:30
  |
4 |             .take_while(|(_, &t)| false)
  |                              ^-
  |                              ||
  |                              |hint: to prevent move, use `ref t` or `ref mut t`
  |                              cannot move out of borrowed content

error: aborting due to previous error

For more information about this error, try `rustc --explain E0507`.
error: Could not compile `hello_world`.

To learn more, run the command again with --verbose.
------------------------------------------------------------------------------
This confirms that the patch works in Mageia.

Withholding the OK for an explanation of the missing rustfmt command and the oddities with --glob.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2018-07-19 01:13:59 CEST
Tried installing rustfmt - that succeeded but it turns out that the command is deprecated.
It can be run with the --force option.  It made a slight difference to the code and kept a backup.
$ rustfmt -v --force panic_not.rs
$ cat panic_not.rs
fn main() {
    let a = vec!["".to_string()];
    a.iter()
        .enumerate()
        .take_while(|(_, &t)| false)
        .collect::<Vec<_>>();
}

Tried to install the recommended rustfmt-nightly but the build failed.

error[E0554]: #![feature] may not be used on the stable release channel
  --> /home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/rustc-ap-serialize-196.0.0/lib.rs:25:1
   |
25 | #![feature(rustc_private, box_syntax)]
   | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
error[E0554]: #![feature] may not be used on the stable release channel
  --> /home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/rustc-ap-serialize-196.0.0/lib.rs:27:1
   |
27 | #![feature(specialization)]
   | ^^^^^^^^^^^^^^^^^^^^^^^^^^^

error[E0554]: #![feature] may not be used on the stable release channel
  --> /home/lcl/.cargo/registry/src/github.com-1ecc6299db9ec823/rustc-ap-serialize-196.0.0/lib.rs:28:1
   |
28 | #![feature(never_type)]
   | ^^^^^^^^^^^^^^^^^^^^^^^

error: aborting due to 4 previous errors
Comment 4 Rémi Verschelde 2018-07-19 13:05:33 CEST
Looks like I gave the wrong package names for rls and rustfmt, fixed now:

RPMs in core/updates_testing:
=============================

cargo-1.27.0-1.1.mga6
cargo-doc-1.27.0-1.1.mga6

rust-1.27.1-1.1.mga6
rust-analysis-1.27.1-1.1.mga6
rust-debugger-common-1.27.1-1.1.mga6
rust-doc-1.27.1-1.1.mga6
rust-gdb-1.27.1-1.1.mga6
rust-lldb-1.27.1-1.1.mga6
rust-src-1.27.1-1.1.mga6
rust-std-static-1.27.1-1.1.mga6

rls-preview-0.127.0-1.1.mga6

rustfmt-preview-0.6.1-1.1.mga6

> In this case the shell gets there first.
> $ rg --glob !ruby cargo
> bash: !ruby: event not found

In bash `!` triggers a lookup for a previous event starting with the following substring. To prevent that, you need to quote the argument:

$ rg --glob '!ruby' cargo
Comment 5 Len Lawrence 2018-07-19 17:00:55 CEST
Re comment 4.

Yeah, that is what I figured but it did not work when I tried it but strangely enough it worked just now (gremlins!) and sure enough it excluded the ruby tree.  So all is well.

Thanks Rémi.

Whiteboard: (none) => MGA6-64-OK

Comment 6 Len Lawrence 2018-07-19 17:19:32 CEST
Addendum:
Installed the preview packages and tried rustfmt again.
No problems.
$ rustfmt src/main.rs
$ cat src/main.rs
fn main() {
    let a = vec!["".to_string()];
    a.iter()
        .enumerate()
        .take_while(|(_, &t)| false)
        .collect::<Vec<_>>();
}

A minor change there, from a.iter().enumerate() to what you see.

$ cargo help rls
error: The subcommand 'rls' wasn't recognized
$ cargo install rls --force
    Updating registry `https://github.com/rust-lang/crates.io-index`
 Downloading rls v0.122.2                                                       
  Installing rls v0.122.2                                                       
   Compiling rls v0.122.2
    Finished release [optimized] target(s) in 5.07s
  Installing /home/lcl/.cargo/bin/rls
$ cargo help rls
error: The subcommand 'rls' wasn't recognized
Comment 7 Len Lawrence 2018-07-19 17:34:09 CEST
@Rémi apropos subcommands.
Is installing a subcommand after installing a related Mageia package a legitimate procedure when the subcommand does not show up or might it lead to a version mismatch of some kind?  In other words, for example, should installation of the rls-preview package have made the rls command available?
Len Lawrence 2018-07-19 17:52:28 CEST

Whiteboard: MGA6-64-OK => (none)

Comment 8 Rémi Verschelde 2018-07-19 21:00:22 CEST
(In reply to Len Lawrence from comment #7)

cargo subcommands are those listed with `cargo --list`. Using `cargo install <pkg>` does not install a subcommand for cargo, it installs a new library or application after building it from source (a "crate"). That's what happens when you do `cargo install ripgrep`, you build and install the ripgrep application. If ripgrep was provided as a Mageia package, it would indeed conflict with it and running `rg` might run the one or the order depending on your PATH order (just like happens when installing python packages from Mageia together with pip packages).

So your `cargo install rls` did not install a subcommand for cargo, but the `rls` application in `/home/lcl/.cargo/bin/rls`. Provided `~/.cargo/bin` is in your PATH, you should be able to run it with `rls`. If you install Mageia's `rls-preview`, both `/home/lcl/.cargo/bin/rls` (self installed with cargo) and `/usr/bin/rls` (from the Mageia package) will provide the same feature, albeit possibly in different versions.
Comment 9 Len Lawrence 2018-07-19 21:37:45 CEST
Thanks Rémi.  That gives a much clearer picture of what is going on.  It certainly looks like we should avoid cargo install in a testing environment then.

After some local cleaning up and a quick test or two this should be good to go.

Later.
Comment 10 Len Lawrence 2018-07-20 19:06:13 CEST
Removed ~/.cargo/bin from PATH and ran some commands again.

$ rustfmt -v src/main.rs
Formatting /home/lcl/qa/rust/rust-hello_world/src/main.rs
Spent 0.001 secs in the parsing phase, and 0.000 secs in the formatting phase

$ cd .cargo/bin/
$ ls
cargo-fmt*  iota*  rg*  rls*  rustfmt*
$ rm rustfmt rls

Added /home/lcl/.cargo/bin to PATH.
$ path
/usr/local/bin
/usr/bin
/usr/local/games
/usr/games
/usr/lib64/qt4/bin
/home/lcl/bin
/home/lcl/.cargo/bin/

$ cargo list | grep rg
$ 
"rg include" and "rg --glob '!ruby' include" worked as expected using the installed command.
Note that the quotes need to be hard quotes.  Double quotes allow shell access.

rust is fine for 64-bits.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 11 Rémi Verschelde 2018-07-23 12:56:48 CEST
Advisory uploaded.

Keywords: (none) => advisory

Comment 12 Mageia Robot 2018-07-24 00:29:03 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0318.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.