CVE-2024-43402 was announced here: https://www.openwall.com/lists/oss-security/2024/09/04/3
Status comment: (none) => Fixed upstream in 1.81.0Source RPM: (none) => rust-1.78.0-1.mga10.src.rpm, rust-1.76.0-1.1.mga9.src.rpmCVE: (none) => CVE-2024-43402Whiteboard: (none) => MGA9TOO
We do no longer have a registered rust maintainer, so assigning to all packagers collectively. However, neoclust pushed a lot of rust packages recently, so CC'ing him.
URL: (none) => https://www.openwall.com/lists/oss-security/2024/09/04/3CC: (none) => mageia, marja11Assignee: bugsquad => pkg-bugs
Fixed in Cauldron.
Version: Cauldron => 9Source RPM: rust-1.78.0-1.mga10.src.rpm, rust-1.76.0-1.1.mga9.src.rpm => rust-1.76.0-1.1.mga9.src.rpmWhiteboard: MGA9TOO => (none)
In dev list Remi says the new versions of rust require new llvm
Depends on: (none) => 33322
I see 1.76 in testing repo, find no related bug, think it should be purged to save substantial storage pace. llvm19 is building (iteratively...) so soon new rust can be built.
CC: (none) => fri
(In reply to Morgan Leijström from comment #4) > I see 1.76 in testing repo, find no related bug, think it should be purged > to save substantial storage pace. > > llvm19 is building (iteratively...) so soon new rust can be built. Rust need N-1 version to build N version, so this need to be kept to build 1.77 and the chain follow until we can reach the last rust version
llvm19 built successfully. Upping priority as updated rust is needed for building optimal versions of Firefox and Thunderbird.
Severity: normal => majorPriority: Normal => High
llvm19 is too new for rust 1.76. I will try to rebuild llvm17-suite for all arches to build at least rust 1.76 and, then, use llvm19-suite to build Firefox and Thunderbird.
Rust 1.76 was successfully built with llvm17-suite except for armv7hl. Since it is not a mandatory arch, let's build Firefox and Thunderbird, at least for the three mandatory arches.
Yes it is important to get the security updates out for mandatory arches.
(In reply to Nicolas Salguero from comment #8) > Rust 1.76 was successfully built with llvm17-suite except for armv7hl. > > Since it is not a mandatory arch, let's build Firefox and Thunderbird, at > least for the three mandatory arches. Rust 1.76 is now also built for armv7hl in mga9 core/updates_testing.
Can rust 1.76 be moved to updates? Chromium M130 does not compile with rust 1.74 from updates while it does build with rust 1.76 currently in updates_testing.
CC: (none) => cjw
It doesn't fix this vulnerability, so it can't be with this bug, but if you file a new bug for it (and assign it to QA), it should be able to be validated immediately, since things have already been built with it (tbh it should have been pushed when it was used to build FF, IINM).
(In reply to David Walser from comment #12) > (tbh it should have been pushed when it was used to build FF, IINM). Yes, sorry, I forgot to add it with the previous Firefox update. I will add it to Firefox 128.4 update.
2024-11-09, Bug 33713 - Firefox 128.4 FIXED, with rust 1.76 packages, got moved to updates repo. Why is there 130+ packages rust-* in /core/updates_testing/ From 2024-09-04 and -05 ?
(In reply to Morgan Leijström from comment #14) > 2024-11-09, Bug 33713 - Firefox 128.4 FIXED, with rust 1.76 packages, > got moved to updates repo. > > Why is there 130+ packages rust-* in /core/updates_testing/ > From 2024-09-04 and -05 ? Are from other src.rpm not included in firefox advisory rust-bindgen-0.69.4-1.mga9.src.rpm rust-bitflags1-1.3.2-2.mga9.src.rpm rust-cbindgen-0.26.0-0.1.mga9.src.rpm rust-clap3-3.2.25-2.mga9.src.rpm rust-env_logger0.7-0.7.1-2.mga9.src.rpm rust-filetime-0.2.23-1.mga9.src.rpm rust-fxhash-0.2.1-0.1.mga9.src.rpm rust-humantime1-1.3.0-1.mga9.src.rpm rust-indexmap1-1.9.3-0.1.mga9.src.rpm rust-itertools0.10-0.10.5-1.mga9.src.rpm rust-libc-0.2.155-1.mga9.src.rpm rust-log0.3-0.3.9-0.1.mga9.src.rpm rust-proc-macro2-1.0.86-1.mga9.src.rpm rust-quickcheck0.9-0.9.2-0.1.mga9.src.rpm rust-seahash3-3.0.7-0.1.mga9.src.rpm rust-serial_test0.5-0.5.1-1.mga9.src.rpm rust-serial_test_derive0.5-0.5.1-0.1.mga9.src.rpm rust-syn1-1.0.109-1.mga9.src.rpm rust-tar-0.4.40-1.mga9.src.rpm rust-textwrap-0.16.0-1.mga9.src.rpm rust-textwrap0.11-0.11.0-1.mga9.src.rpm rust-toml0.4-0.4.10-0.1.mga9.src.rpm rust-toml0.5-0.5.11-1.mga9.src.rpm rust-xattr-1.0.1-1.mga9.src.rpm If is fine move that packages to updates we need a bug for them
(In reply to Christiaan Welvaart from comment #11) > Can rust 1.76 be moved to updates? Chromium M130 does not compile with rust > 1.74 from updates while it does build with rust 1.76 currently in > updates_testing. Another issue to build new chromium? the requested packages is now in updates, did you require other of the rust packages in testing?
https://bugs.mageia.org/show_bug.cgi?id=34500#c5 (In reply to Keith Bowes from comment #5) > (In reply to Jani Välimaa from comment #1) > > Rust 1.80.0 should be enough according to upstream PR: > > https://github.com/rust-lang/rust/pull/124678#event-12703606396. > > > > Upstream commit: > > https://github.com/rust-lang/rust/commit/ > > 93ca906cb572d8754dc43773a3cd502717fd8f07 > > It seems that even if Rust 1.80 is enough, it should be updated to 1.81 just > to fix https://bugs.mageia.org/show_bug.cgi?id=33522 while you're updating > Rust anyway. I wonder if it is valid for linux https://blog.rust-lang.org/2024/04/09/cve-2024-24576/ The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping.
CC: (none) => j.alberto.vc, zooplah
(In reply to katnatek from comment #17) > https://bugs.mageia.org/show_bug.cgi?id=34500#c5 > (In reply to Keith Bowes from comment #5) > > (In reply to Jani Välimaa from comment #1) > > > Rust 1.80.0 should be enough according to upstream PR: > > > https://github.com/rust-lang/rust/pull/124678#event-12703606396. > > > > > > Upstream commit: > > > https://github.com/rust-lang/rust/commit/ > > > 93ca906cb572d8754dc43773a3cd502717fd8f07 > > > > It seems that even if Rust 1.80 is enough, it should be updated to 1.81 just > > to fix https://bugs.mageia.org/show_bug.cgi?id=33522 while you're updating > > Rust anyway. > > I wonder if it is valid for linux > > https://blog.rust-lang.org/2024/04/09/cve-2024-24576/ > The Rust Security Response WG was notified that the Rust standard library > did not properly escape arguments when invoking batch files (with the bat > and cmd extensions) on Windows using the Command API. An attacker able to > control the arguments passed to the spawned process could execute arbitrary > shell commands by bypassing the escaping. Affected Versions All Rust versions before 1.77.2 on Windows are affected, if your code or one of your dependencies executes batch files with untrusted arguments. Other platforms or other uses on Windows are not affected. So this bug is invalid I think, no closing yet
All related to this cve talks of windows only Reopen if find information that proves affect linux
Resolution: (none) => INVALIDStatus: NEW => RESOLVED