Fedora has issued an advisory on April 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CZ337CM4GFJLRDFVQCGC7J25V65JXOG5/ The issues are fixed upstream in 1.52.0. Mageia 7 is also affected. Note that everything built with rust needs to be rebuilt.
Status comment: (none) => Fixed upstream in 1.52.0Whiteboard: (none) => MGA7TOO
My plan is to update Mageia 8 to Rust 1.52.1 (which means 3 incremental rust builds from 1.49.0 to 1.52.1 then rebuild of packages using rust). For Mageia 7 which has Rust 1.43.1, this will likely be a WONTFIX (though I'll check if there's a backportable patch).
Status: NEW => ASSIGNED
rust-1.52.1-1.mga8 is in mga8 core/updates_testing (finalizing upload now). I'll rebuild packages using rust tomorrow (already bumped subrel in SVN): alacritty/ cargo-c/ dust/ firefox/ librsvg/ mozjs68/ mozjs78/ neovim-gtk/ ripgrep/ suricata/ thunderbird/
Thanks. I'll make sure Firefox gets built against the updated rust, so don't put another subrel on that or rebuild it again. Thunderbird 78.11.0 should be coming very soon, so no need to fool with that for this update. If you're rebuilding mozjs78 anyway, it would make sense to update it too. suricata needs an update (Bug 29012) so you can leave that one alone for now. librsvg needs a security update (Bug 29055), so it'd be cool if you could help with that one.
OK, leaving out firefox, thunderbird and suricata. librsvg doesn't need an update in Mageia 8 (not vulnerable), so I'll rebuild it in this mga8 update candidate for rust. Working on an update to mozjs78 78.11.0. The rest has been built: rust-1.52.1-1.mga8 alacritty-0.7.1-1.1.mga8 cargo-c-0.7.0-1.1.mga8 dust-0.5.1-1.1.mga8 librsvg-2.50.3-1.1.mga8 mozjs68-68.11.0-1.1.mga8 neovim-gtk-0.2.0-0.git20190512.2.1.mga8 ripgrep-12.1.1-1.1.mga8 Upcoming: mozjs78-78.11.0-1.mga8
Update candidate for Mageia 8 below. Didn't work on Mageia 7 for now, but as mentioned in comment 1 I probably won't, the amount of work required is not justified for these issues so close to EOL. Advisory: ========= Updated rust packages fix security vulnerabilities This Rust update to version 1.52.1 includes security fixes for CVE-2020-36323, CVE-2021-28876, CVE-2021-28878, CVE-2021-28879, and CVE-2021-31162. These are memory safety bugs in the Rust standard library. Because it is statically linked, affected applications will need to be rebuilt to benefit from the fixes. The actual security implications will depend on how these APIs are used in each particular case. This update also provides new features and bugfixes included in Rust since the previously packaged version 1.49.0. See the referenced release notes for details. The mozjs78 package is also updated from version 78.7.0 to 78.11.0 (ESR). References: - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CZ337CM4GFJLRDFVQCGC7J25V65JXOG5/ - https://blog.rust-lang.org/2021/02/11/Rust-1.50.0.html - https://blog.rust-lang.org/2021/03/25/Rust-1.51.0.html - https://blog.rust-lang.org/2021/05/06/Rust-1.52.0.html - https://blog.rust-lang.org/2021/05/10/Rust-1.52.1.html SRPMs in core/updates_testing: ============================== rust-1.52.1-1.mga8 alacritty-0.7.1-1.1.mga8 cargo-c-0.7.0-1.1.mga8 dust-0.5.1-1.1.mga8 librsvg-2.50.3-1.1.mga8 mozjs68-68.11.0-1.1.mga8 mozjs78-78.11.0-1.mga8 neovim-gtk-0.2.0-0.git20190512.2.1.mga8 ripgrep-12.1.1-1.1.mga8 RPMs in core/updates_testing: ============================= cargo-1.52.1-1.mga8.x86_64.rpm cargo-doc-1.52.1-1.mga8.noarch.rpm clippy-1.52.1-1.mga8.x86_64.rpm rls-1.52.1-1.mga8.x86_64.rpm rust-1.52.1-1.mga8.x86_64.rpm rust-analysis-1.52.1-1.mga8.x86_64.rpm rust-debugger-common-1.52.1-1.mga8.noarch.rpm rust-doc-1.52.1-1.mga8.x86_64.rpm rust-gdb-1.52.1-1.mga8.noarch.rpm rust-lldb-1.52.1-1.mga8.noarch.rpm rust-src-1.52.1-1.mga8.noarch.rpm rust-std-static-1.52.1-1.mga8.x86_64.rpm rustfmt-1.52.1-1.mga8.x86_64.rpm alacritty*-0.7.1-1.1.mga8 cargo-c-0.7.0-1.1.mga8 dust-0.5.1-1.1.mga8 librsvg-2.50.3-1.1.mga8 lib64rsvg2_2-2.50.3-1.1.mga8 lib64rsvg2-devel-2.50.3-1.1.mga8 lib64rsvg-gir2.0-2.50.3-1.1.mga8 lib64mozjs78-78.11.0-1.mga8 lib64mozjs-devel-78.11.0-1.mga8 lib64mozjs68-68.11.0-1.1.mga8 lib64mozjs68-devel-68.11.0-1.1.mga8 neovim-gtk-0.2.0-0.git20190512.2.1.mga8 neovim-gtk-docs-0.2.0-0.git20190512.2.1.mga8 ripgrep*-12.1.1-1.1.mga8
Assignee: rverschelde => qa-bugs
CC: (none) => rverschelde
mga8, x64 Installed all the packages and then updated them from testing. Don't know what they all do so testing follows previous updates. $ cargo install ripgrep --force Updating crates.io index Downloaded ripgrep v12.1.1 Downloaded 1 crate (256.5 KB) in 0.62s Installing ripgrep v12.1.1 Downloaded crossbeam-utils v0.8.5 ..... This also created directories in .cargo: $ ls .cargo bin/ registry $ path | grep cargo /home/lcl/.cargo/bin $ ls .cargo/bin rg* Does this override the installed version of ripgrep? .cargo/bin appears later in the PATH. $ /bin/rg --version ripgrep 12.1.1 -SIMD -AVX (compiled) +SIMD +AVX (runtime) $ .cargo/bin/rg --version ripgrep 12.1.1 -SIMD -AVX (compiled) +SIMD +AVX (runtime) In this case the sources are probably the same anyway. $ ll /bin/rg -rwxr-xr-x 1 root root 4725456 Jun 1 08:17 /bin/rg* $ ll .cargo/bin/rg -rwxr-xr-x 1 lcl lcl 33565176 Jun 2 21:39 .cargo/bin/rg* $ file /bin/rg /bin/rg: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e2dd1290322f8b210e3a863630ae185f91da675b, for GNU/Linux 3.2.0, stripped $ file .cargo/bin/rg .cargo/bin/rg: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=1bcb2b501c2d115403ed15b799b8b67e13ad89bf, for GNU/Linux 3.2.0, with debug_info, not stripped The point of all this is to understand if it matters for updates testing. $ rg cargo returned a huge list of files containing the string "cargo". Moved to ~/qa/rust then $ cd rust-hello_world $ cargo run Compiling hello_world v0.0.1 (/home/lcl/qa/rust/rust-hello_world) Finished dev [unoptimized + debuginfo] target(s) in 1.67s Running `target/debug/hello_world` Hello World! I'm a Rustacean! $ rustfmt -v src/main.rs Formatting /home/lcl/qa/rust/rust-hello_world/src/main.rs Spent 0.002 secs in the parsing phase, and 0.000 secs in the formatting phase $ rg -s -g '!.rb' cargo Another long list, excluding ruby scripts. $ dust -s -x qa This locked up the machine, hitting all 20 CPU cores. Eventually: $ dust -s -x qa 429M ┌── RAW.tar │ █ │ 2% 445M ┌─┴ rawtherapee │ █ │ 2% 614M ├── openexr │ ██ │ 2% 388M │ ┌── Destination Moon Irving Pichel, 1950-fsXVfddSF_A.mp4│ ░█ │ 1% 754M ├─┴ python3 │ ██ │ 3% 636M │ ┌── BUILD │ ▒██ │ 2% 955M │ ┌─┴ docker │ ███ │ 4% 957M ├─┴ golang │ ███ │ 4% ..................... This may have been hampered by remote access to an NAS driveSomething nearer to home delivered quicker results. $ dust -s -x ./dev 74M ┌── python │ ███ │ 3% 75M │ ┌── tutorials │ ███ │ 3% 75M │ ┌─┴ run │ ███ │ 3% 75M │ ┌─┴ lcl-7 │ ███ │ 3% 75M ├─┴ OpenFOAM │ ███ │ 3% 194M │ ┌── stellarium-0.16.0-1.mga6.src.rpm│ ░░░░░██████ │ 7% Giving this an OK.
CC: (none) => tarazed25
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
Blocks: (none) => 29083
Whiteboard: MGA7TOO MGA8-64-OK => MGA8-64-OK
Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CVE: (none) => CVE-2020-36323, CVE-2021-2887[689], and CVE-2021-31162Keywords: (none) => advisoryStatus comment: Fixed upstream in 1.52.0 => (none)CC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0251.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED