An advisory has been issued today (January 20): https://www.openwall.com/lists/oss-security/2022/01/20/1 The issue is fixed upstream in 1.58.1. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 1.58.1
Status: NEW => ASSIGNED
openSUSE has issued an advisory for this today (January 21): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JWT2GLRS2EG6EW7X57X2RMJHMFK6GEWU/
Fedora has issued an advisory for this today (January 25): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/
rust-1.58.1-1.mga9 pushed to Cauldron which fixes it. Will prepare the update for Mageia 8 (current at 1.56.1, so need to build 1.57 first then 1.58.1).
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
Updated to 1.57.0 and then patched for the CVE by Rémi. Rémi, can we get a release notes reference for 1.57.0? Package list: rust-1.57.0-1.1.mga8 rust-std-static-1.57.0-1.1.mga8 rust-src-1.57.0-1.1.mga8 rls-1.57.0-1.1.mga8 rust-analysis-1.57.0-1.1.mga8 cargo-1.57.0-1.1.mga8 rustfmt-1.57.0-1.1.mga8 rust-lldb-1.57.0-1.1.mga8 rust-gdb-1.57.0-1.1.mga8 rust-debugger-common-1.57.0-1.1.mga8 cargo-doc-1.57.0-1.1.mga8 clippy-1.57.0-1.1.mga8 rust-doc-1.57.0-1.1.mga8 from rust-1.57.0-1.1.mga8.src.rpm
Source RPM: rust-1.57.0-1.mga9.src.rpm => rust-1.56.1-1.mga8.src.rpmCC: (none) => rverscheldeAssignee: rverschelde => qa-bugsStatus comment: Fixed upstream in 1.58.1 => (none)
mga8, x64 Updated all packages and followed tests from bug 29616. $ cd qa/rust/rust-hello_world $ cargo build Compiling hello_world v0.0.1 (/home/lcl/qa/rust/rust-hello_world) Finished dev [unoptimized + debuginfo] target(s) in 2.14s $ cargo run Finished dev [unoptimized + debuginfo] target(s) in 0.05s Running `target/debug/hello_world` Hello World! I'm a Rustacean! Tried a snippet lying around which appears to contain a deliberate error. $ cat panic_not.rs fn main() { let a = vec!["".to_string()]; a.iter() .enumerate() .take_while(|(_, &t)| false) .collect::<Vec<_>>(); } Copied panic_not.rs to main.rs in the src directory and then $ cargo run Compiling panic_not v0.0.1 (/home/lcl/qa/rust/panic_not) warning: unused variable: `t` --> src/main.rs:5:27 | 5 | .take_while(|(_, &t)| false) | ^ help: if this is intentional, prefix it with an underscore: `_t` | = note: `#[warn(unused_variables)]` on by default error[E0507]: cannot move out of a shared reference --> src/main.rs:5:22 | 5 | .take_while(|(_, &t)| false) | ^^^^^-^ | | | data moved here | move occurs because `t` has type `String`, which does not implement the `Copy` trait For more information about this error, try `rustc --explain E0507`. warning: `panic_not` (bin "panic_not") generated 1 warning error: could not compile `panic_not` due to previous error; 1 warning emitted <This shows how rust copes with a valid error $ rustc --explain E0507 <It does that OK> $ rg -help <works> $ rg -s cargo . ./failure 4:error: failed to compile `rustfmt-nightly v0.8.3`, intermediate artifacts can be found at `/tmp/cargo-installwZm5ug` <Other searches at different relative directory levels worked as well> $ rg --version ripgrep 12.1.1 -SIMD -AVX (compiled) +SIMD +AVX (runtime) $ cargo install ripgrep --force Updating crates.io index <which took a while> <lots of compiling....> Compiling ignore v0.4.18 Compiling ripgrep v13.0.0 Compiling grep-printer v0.1.6 Compiling grep v0.2.8 Finished release [optimized + debuginfo] target(s) in 1m 13s Replacing /home/lcl/.cargo/bin/rg Replaced package `ripgrep v12.1.1` with `ripgrep v13.0.0` (executable `rg`) Using clippy requires a bit more research so giving this an OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Advisory: ========= Updated rust packages fix security vulnerability This update provides Rust 1.57.0 as a feature and bugfix update. See the release notes for details. The `std::fs::remove_dir_all` standard library function was vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete (CVE-2022-21658). This vulnerability was fixed by patching Rust 1.57.0. References: - https://blog.rust-lang.org/2021/12/02/Rust-1.57.0.html - https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html - https://github.com/rust-lang/wg-security-response/tree/master/patches/CVE-2022-21658 SRPM in core/updates_testing: ============================= rust-1.57.0-1.1.mga8 RPMs listed in comment 4.
Validating. Advisory in Comment 6
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0044.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED