Bug 29912 - rust new security issue CVE-2022-21658
Summary: rust new security issue CVE-2022-21658
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-01-20 19:32 CET by David Walser
Modified: 2022-02-02 22:30 CET (History)
5 users (show)

See Also:
Source RPM: rust-1.56.1-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-01-20 19:32:00 CET
An advisory has been issued today (January 20):
https://www.openwall.com/lists/oss-security/2022/01/20/1

The issue is fixed upstream in 1.58.1.

Mageia 8 is also affected.
David Walser 2022-01-20 19:32:12 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.58.1

Rémi Verschelde 2022-01-20 22:53:34 CET

Status: NEW => ASSIGNED

Comment 1 David Walser 2022-01-21 19:38:02 CET
openSUSE has issued an advisory for this today (January 21):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JWT2GLRS2EG6EW7X57X2RMJHMFK6GEWU/
Comment 2 David Walser 2022-01-25 23:37:04 CET
Fedora has issued an advisory for this today (January 25):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/
Comment 3 Rémi Verschelde 2022-01-25 23:40:57 CET
rust-1.58.1-1.mga9 pushed to Cauldron which fixes it.

Will prepare the update for Mageia 8 (current at 1.56.1, so need to build 1.57 first then 1.58.1).

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 4 David Walser 2022-01-27 17:31:35 CET
Updated to 1.57.0 and then patched for the CVE by Rémi.  Rémi, can we get a release notes reference for 1.57.0?

Package list:
rust-1.57.0-1.1.mga8
rust-std-static-1.57.0-1.1.mga8
rust-src-1.57.0-1.1.mga8
rls-1.57.0-1.1.mga8
rust-analysis-1.57.0-1.1.mga8
cargo-1.57.0-1.1.mga8
rustfmt-1.57.0-1.1.mga8
rust-lldb-1.57.0-1.1.mga8
rust-gdb-1.57.0-1.1.mga8
rust-debugger-common-1.57.0-1.1.mga8
cargo-doc-1.57.0-1.1.mga8
clippy-1.57.0-1.1.mga8
rust-doc-1.57.0-1.1.mga8

from rust-1.57.0-1.1.mga8.src.rpm

Source RPM: rust-1.57.0-1.mga9.src.rpm => rust-1.56.1-1.mga8.src.rpm
CC: (none) => rverschelde
Assignee: rverschelde => qa-bugs
Status comment: Fixed upstream in 1.58.1 => (none)

Comment 5 Len Lawrence 2022-01-27 19:44:57 CET
mga8, x64

Updated all packages and followed tests from bug 29616.
$ cd qa/rust/rust-hello_world
$ cargo build
   Compiling hello_world v0.0.1 (/home/lcl/qa/rust/rust-hello_world)
    Finished dev [unoptimized + debuginfo] target(s) in 2.14s
$ cargo run
    Finished dev [unoptimized + debuginfo] target(s) in 0.05s
     Running `target/debug/hello_world`
Hello World!
I'm a Rustacean!

Tried a snippet lying around which appears to contain a deliberate error.
$ cat panic_not.rs
fn main() {
    let a = vec!["".to_string()];
    a.iter()
        .enumerate()
        .take_while(|(_, &t)| false)
        .collect::<Vec<_>>();
}

Copied panic_not.rs to main.rs in the src directory and then
$ cargo run
  Compiling panic_not v0.0.1 (/home/lcl/qa/rust/panic_not)
warning: unused variable: `t`
 --> src/main.rs:5:27
  |
5 |         .take_while(|(_, &t)| false)
  |                           ^ help: if this is intentional, prefix it with an underscore: `_t`
  |
  = note: `#[warn(unused_variables)]` on by default

error[E0507]: cannot move out of a shared reference
 --> src/main.rs:5:22
  |
5 |         .take_while(|(_, &t)| false)
  |                      ^^^^^-^
  |                           |
  |                           data moved here
  |                           move occurs because `t` has type `String`, which does not implement the `Copy` trait

For more information about this error, try `rustc --explain E0507`.
warning: `panic_not` (bin "panic_not") generated 1 warning
error: could not compile `panic_not` due to previous error; 1 warning emitted

<This shows how rust copes with a valid error
$ rustc --explain E0507
<It does that OK>

$ rg -help
<works>

$ rg -s cargo .
./failure
4:error: failed to compile `rustfmt-nightly v0.8.3`, intermediate artifacts can be found at `/tmp/cargo-installwZm5ug`
<Other searches at different relative directory levels worked as well>

$ rg --version
ripgrep 12.1.1
-SIMD -AVX (compiled)
+SIMD +AVX (runtime)

$ cargo install ripgrep --force
    Updating crates.io index
<which took a while>
<lots of compiling....>
   Compiling ignore v0.4.18
   Compiling ripgrep v13.0.0
   Compiling grep-printer v0.1.6
   Compiling grep v0.2.8
    Finished release [optimized + debuginfo] target(s) in 1m 13s
   Replacing /home/lcl/.cargo/bin/rg
    Replaced package `ripgrep v12.1.1` with `ripgrep v13.0.0` (executable `rg`)

Using clippy requires a bit more research so giving this an OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 6 Rémi Verschelde 2022-01-28 13:09:30 CET
Advisory:
=========

Updated rust packages fix security vulnerability

  This update provides Rust 1.57.0 as a feature and bugfix update. See the
  release notes for details.

  The `std::fs::remove_dir_all` standard library function was vulnerable a race
  condition enabling symlink following (CWE-363). An attacker could use this
  security issue to trick a privileged program into deleting files and
  directories the attacker couldn't otherwise access or delete (CVE-2022-21658).
  This vulnerability was fixed by patching Rust 1.57.0.

References:

 - https://blog.rust-lang.org/2021/12/02/Rust-1.57.0.html
 - https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html
 - https://github.com/rust-lang/wg-security-response/tree/master/patches/CVE-2022-21658

SRPM in core/updates_testing:
=============================

rust-1.57.0-1.1.mga8

RPMs listed in comment 4.
Comment 7 Thomas Andrews 2022-01-28 17:33:46 CET
Validating. Advisory in Comment 6

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-02-02 20:34:14 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-02-02 22:30:38 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0044.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.