From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E52B4158094 for ; Thu, 15 Sep 2022 03:15:57 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1A7AEE09CF; Thu, 15 Sep 2022 03:15:57 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id F3BCDE09CF for ; Thu, 15 Sep 2022 03:15:56 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 99D9A33D3CD for ; Thu, 15 Sep 2022 03:15:55 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id B8EE25C7 for ; Thu, 15 Sep 2022 03:15:53 +0000 (UTC) From: "Georgy Yakovlev" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Georgy Yakovlev" Message-ID: <1663211021.f36a42fed54e19b300f243f14523fc4267907426.gyakovlev@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: dev-lang/rust/files/, dev-lang/rust/ X-VCS-Repository: repo/gentoo X-VCS-Files: dev-lang/rust/files/1.63.0-CVE-2022-36113.patch dev-lang/rust/files/1.63.0-CVE-2022-36114.patch dev-lang/rust/rust-1.63.0-r1.ebuild dev-lang/rust/rust-1.63.0.ebuild X-VCS-Directories: dev-lang/rust/files/ dev-lang/rust/ X-VCS-Committer: gyakovlev X-VCS-Committer-Name: Georgy Yakovlev X-VCS-Revision: f36a42fed54e19b300f243f14523fc4267907426 X-VCS-Branch: master Date: Thu, 15 Sep 2022 03:15:53 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: d8f2e178-0419-47f7-9aba-0b948b7b988c X-Archives-Hash: f6674c955eae97cd5240315bf9d20198 commit: f36a42fed54e19b300f243f14523fc4267907426 Author: Georgy Yakovlev gentoo org> AuthorDate: Thu Sep 15 03:03:41 2022 +0000 Commit: Georgy Yakovlev gentoo org> CommitDate: Thu Sep 15 03:03:41 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f36a42fe dev-lang/rust: revbump 1.63.0, add cargo security fixes Bug: https://bugs.gentoo.org/870166 Signed-off-by: Georgy Yakovlev gentoo.org> dev-lang/rust/files/1.63.0-CVE-2022-36113.patch | 48 ++++++++++ dev-lang/rust/files/1.63.0-CVE-2022-36114.patch | 102 +++++++++++++++++++++ .../{rust-1.63.0.ebuild => rust-1.63.0-r1.ebuild} | 2 + 3 files changed, 152 insertions(+) diff --git a/dev-lang/rust/files/1.63.0-CVE-2022-36113.patch b/dev-lang/rust/files/1.63.0-CVE-2022-36113.patch new file mode 100644 index 000000000000..a87687dce387 --- /dev/null +++ b/dev-lang/rust/files/1.63.0-CVE-2022-36113.patch @@ -0,0 +1,48 @@ +From 97b80919e404b0768ea31ae329c3b4da54bed05a Mon Sep 17 00:00:00 2001 +From: Josh Triplett +Date: Thu, 18 Aug 2022 17:17:19 +0200 +Subject: [PATCH] CVE-2022-36113: avoid unpacking .cargo-ok from the crate + +--- + src/cargo/sources/registry/mod.rs | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) +gyakovlev: 'sed -i 's|/src/cargo|/src/tools/cargo/src/cargo|g' + +diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs +index c17b822fd0..a2863bf78a 100644 +--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs ++++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs +@@ -639,6 +639,13 @@ impl<'cfg> RegistrySource<'cfg> { + prefix + ) + } ++ // Prevent unpacking the lockfile from the crate itself. ++ if entry_path ++ .file_name() ++ .map_or(false, |p| p == PACKAGE_SOURCE_LOCK) ++ { ++ continue; ++ } + // Unpacking failed + let mut result = entry.unpack_in(parent).map_err(anyhow::Error::from); + if cfg!(windows) && restricted_names::is_windows_reserved_path(&entry_path) { +@@ -654,16 +661,14 @@ impl<'cfg> RegistrySource<'cfg> { + .with_context(|| format!("failed to unpack entry at `{}`", entry_path.display()))?; + } + +- // The lock file is created after unpacking so we overwrite a lock file +- // which may have been extracted from the package. ++ // Now that we've finished unpacking, create and write to the lock file to indicate that ++ // unpacking was successful. + let mut ok = OpenOptions::new() +- .create(true) ++ .create_new(true) + .read(true) + .write(true) + .open(&path) + .with_context(|| format!("failed to open `{}`", path.display()))?; +- +- // Write to the lock file to indicate that unpacking was successful. + write!(ok, "ok")?; + + Ok(unpack_dir.to_path_buf()) diff --git a/dev-lang/rust/files/1.63.0-CVE-2022-36114.patch b/dev-lang/rust/files/1.63.0-CVE-2022-36114.patch new file mode 100644 index 000000000000..1afbaa94138c --- /dev/null +++ b/dev-lang/rust/files/1.63.0-CVE-2022-36114.patch @@ -0,0 +1,102 @@ +From d1f9553c825f6d7481453be8d58d0e7f117988a7 Mon Sep 17 00:00:00 2001 +From: Josh Triplett +Date: Thu, 18 Aug 2022 17:45:45 +0200 +Subject: [PATCH] CVE-2022-36114: limit the maximum unpacked size of a crate to + 512MB + +This gives users of custom registries the same protections, using the +same size limit that crates.io uses. + +`LimitErrorReader` code copied from crates.io. +--- + src/cargo/sources/registry/mod.rs | 6 +++++- + src/cargo/util/io.rs | 27 +++++++++++++++++++++++++++ + src/cargo/util/mod.rs | 2 ++ + 3 files changed, 34 insertions(+), 1 deletion(-) + create mode 100644 src/cargo/util/io.rs +gyakovlev: 'sed -i 's|/src/cargo|/src/tools/cargo/src/cargo|g' + +diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs +index a2863bf78a..c9c414e500 100644 +--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs ++++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs +@@ -182,7 +182,9 @@ use crate::util::hex; + use crate::util::interning::InternedString; + use crate::util::into_url::IntoUrl; + use crate::util::network::PollExt; +-use crate::util::{restricted_names, CargoResult, Config, Filesystem, OptVersionReq}; ++use crate::util::{ ++ restricted_names, CargoResult, Config, Filesystem, LimitErrorReader, OptVersionReq, ++}; + + const PACKAGE_SOURCE_LOCK: &str = ".cargo-ok"; + pub const CRATES_IO_INDEX: &str = "https://github.com/rust-lang/crates.io-index"; +@@ -194,6 +196,7 @@ const VERSION_TEMPLATE: &str = "{version}"; + const PREFIX_TEMPLATE: &str = "{prefix}"; + const LOWER_PREFIX_TEMPLATE: &str = "{lowerprefix}"; + const CHECKSUM_TEMPLATE: &str = "{sha256-checksum}"; ++const MAX_UNPACK_SIZE: u64 = 512 * 1024 * 1024; + + /// A "source" for a local (see `local::LocalRegistry`) or remote (see + /// `remote::RemoteRegistry`) registry. +@@ -615,6 +618,7 @@ impl<'cfg> RegistrySource<'cfg> { + } + } + let gz = GzDecoder::new(tarball); ++ let gz = LimitErrorReader::new(gz, MAX_UNPACK_SIZE); + let mut tar = Archive::new(gz); + let prefix = unpack_dir.file_name().unwrap(); + let parent = unpack_dir.parent().unwrap(); +diff --git a/src/tools/cargo/src/cargo/util/io.rs b/src/tools/cargo/src/cargo/util/io.rs +new file mode 100644 +index 0000000000..f62672db03 +--- /dev/null ++++ b/src/tools/cargo/src/cargo/util/io.rs +@@ -0,0 +1,27 @@ ++use std::io::{self, Read, Take}; ++ ++#[derive(Debug)] ++pub struct LimitErrorReader { ++ inner: Take, ++} ++ ++impl LimitErrorReader { ++ pub fn new(r: R, limit: u64) -> LimitErrorReader { ++ LimitErrorReader { ++ inner: r.take(limit), ++ } ++ } ++} ++ ++impl Read for LimitErrorReader { ++ fn read(&mut self, buf: &mut [u8]) -> io::Result { ++ match self.inner.read(buf) { ++ Ok(0) if self.inner.limit() == 0 => Err(io::Error::new( ++ io::ErrorKind::Other, ++ "maximum limit reached when reading", ++ )), ++ e => e, ++ } ++ } ++} ++ +diff --git a/src/tools/cargo/src/cargo/util/mod.rs b/src/tools/cargo/src/cargo/util/mod.rs +index 28f685c209..47bbf37aad 100644 +--- a/src/tools/cargo/src/cargo/util/mod.rs ++++ b/src/tools/cargo/src/cargo/util/mod.rs +@@ -14,6 +14,7 @@ pub use self::hasher::StableHasher; + pub use self::hex::{hash_u64, short_hash, to_hex}; + pub use self::into_url::IntoUrl; + pub use self::into_url_with_base::IntoUrlWithBase; ++pub(crate) use self::io::LimitErrorReader; + pub use self::lev_distance::{closest, closest_msg, lev_distance}; + pub use self::lockserver::{LockServer, LockServerClient, LockServerStarted}; + pub use self::progress::{Progress, ProgressStyle}; +@@ -44,6 +45,7 @@ pub mod important_paths; + pub mod interning; + pub mod into_url; + mod into_url_with_base; ++mod io; + pub mod job; + pub mod lev_distance; + mod lockserver; diff --git a/dev-lang/rust/rust-1.63.0.ebuild b/dev-lang/rust/rust-1.63.0-r1.ebuild similarity index 99% rename from dev-lang/rust/rust-1.63.0.ebuild rename to dev-lang/rust/rust-1.63.0-r1.ebuild index 900816d560ac..6031ffd57528 100644 --- a/dev-lang/rust/rust-1.63.0.ebuild +++ b/dev-lang/rust/rust-1.63.0-r1.ebuild @@ -164,6 +164,8 @@ PATCHES=( "${FILESDIR}"/1.55.0-ignore-broken-and-non-applicable-tests.patch "${FILESDIR}"/1.62.1-musl-dynamic-linking.patch "${FILESDIR}"/1.61.0-gentoo-musl-target-specs.patch + "${FILESDIR}"/1.63.0-CVE-2022-36113.patch + "${FILESDIR}"/1.63.0-CVE-2022-36114.patch ) S="${WORKDIR}/${MY_P}-src"