commit: f36a42fed54e19b300f243f14523fc4267907426 Author: Georgy Yakovlev <gyakovlev <AT> gentoo <DOT> org> AuthorDate: Thu Sep 15 03:03:41 2022 +0000 Commit: Georgy Yakovlev <gyakovlev <AT> gentoo <DOT> org> CommitDate: Thu Sep 15 03:03:41 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f36a42fe
dev-lang/rust: revbump 1.63.0, add cargo security fixes Bug: https://bugs.gentoo.org/870166 Signed-off-by: Georgy Yakovlev <gyakovlev <AT> gentoo.org> dev-lang/rust/files/1.63.0-CVE-2022-36113.patch | 48 ++++++++++ dev-lang/rust/files/1.63.0-CVE-2022-36114.patch | 102 +++++++++++++++++++++ .../{rust-1.63.0.ebuild => rust-1.63.0-r1.ebuild} | 2 + 3 files changed, 152 insertions(+) diff --git a/dev-lang/rust/files/1.63.0-CVE-2022-36113.patch b/dev-lang/rust/files/1.63.0-CVE-2022-36113.patch new file mode 100644 index 000000000000..a87687dce387 --- /dev/null +++ b/dev-lang/rust/files/1.63.0-CVE-2022-36113.patch @@ -0,0 +1,48 @@ +From 97b80919e404b0768ea31ae329c3b4da54bed05a Mon Sep 17 00:00:00 2001 +From: Josh Triplett <[email protected]> +Date: Thu, 18 Aug 2022 17:17:19 +0200 +Subject: [PATCH] CVE-2022-36113: avoid unpacking .cargo-ok from the crate + +--- + src/cargo/sources/registry/mod.rs | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) +gyakovlev: 'sed -i 's|/src/cargo|/src/tools/cargo/src/cargo|g' + +diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs +index c17b822fd0..a2863bf78a 100644 +--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs ++++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs +@@ -639,6 +639,13 @@ impl<'cfg> RegistrySource<'cfg> { + prefix + ) + } ++ // Prevent unpacking the lockfile from the crate itself. ++ if entry_path ++ .file_name() ++ .map_or(false, |p| p == PACKAGE_SOURCE_LOCK) ++ { ++ continue; ++ } + // Unpacking failed + let mut result = entry.unpack_in(parent).map_err(anyhow::Error::from); + if cfg!(windows) && restricted_names::is_windows_reserved_path(&entry_path) { +@@ -654,16 +661,14 @@ impl<'cfg> RegistrySource<'cfg> { + .with_context(|| format!("failed to unpack entry at `{}`", entry_path.display()))?; + } + +- // The lock file is created after unpacking so we overwrite a lock file +- // which may have been extracted from the package. ++ // Now that we've finished unpacking, create and write to the lock file to indicate that ++ // unpacking was successful. + let mut ok = OpenOptions::new() +- .create(true) ++ .create_new(true) + .read(true) + .write(true) + .open(&path) + .with_context(|| format!("failed to open `{}`", path.display()))?; +- +- // Write to the lock file to indicate that unpacking was successful. + write!(ok, "ok")?; + + Ok(unpack_dir.to_path_buf()) diff --git a/dev-lang/rust/files/1.63.0-CVE-2022-36114.patch b/dev-lang/rust/files/1.63.0-CVE-2022-36114.patch new file mode 100644 index 000000000000..1afbaa94138c --- /dev/null +++ b/dev-lang/rust/files/1.63.0-CVE-2022-36114.patch @@ -0,0 +1,102 @@ +From d1f9553c825f6d7481453be8d58d0e7f117988a7 Mon Sep 17 00:00:00 2001 +From: Josh Triplett <[email protected]> +Date: Thu, 18 Aug 2022 17:45:45 +0200 +Subject: [PATCH] CVE-2022-36114: limit the maximum unpacked size of a crate to + 512MB + +This gives users of custom registries the same protections, using the +same size limit that crates.io uses. + +`LimitErrorReader` code copied from crates.io. +--- + src/cargo/sources/registry/mod.rs | 6 +++++- + src/cargo/util/io.rs | 27 +++++++++++++++++++++++++++ + src/cargo/util/mod.rs | 2 ++ + 3 files changed, 34 insertions(+), 1 deletion(-) + create mode 100644 src/cargo/util/io.rs +gyakovlev: 'sed -i 's|/src/cargo|/src/tools/cargo/src/cargo|g' + +diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs +index a2863bf78a..c9c414e500 100644 +--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs ++++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs +@@ -182,7 +182,9 @@ use crate::util::hex; + use crate::util::interning::InternedString; + use crate::util::into_url::IntoUrl; + use crate::util::network::PollExt; +-use crate::util::{restricted_names, CargoResult, Config, Filesystem, OptVersionReq}; ++use crate::util::{ ++ restricted_names, CargoResult, Config, Filesystem, LimitErrorReader, OptVersionReq, ++}; + + const PACKAGE_SOURCE_LOCK: &str = ".cargo-ok"; + pub const CRATES_IO_INDEX: &str = "https://github.com/rust-lang/crates.io-index";; +@@ -194,6 +196,7 @@ const VERSION_TEMPLATE: &str = "{version}"; + const PREFIX_TEMPLATE: &str = "{prefix}"; + const LOWER_PREFIX_TEMPLATE: &str = "{lowerprefix}"; + const CHECKSUM_TEMPLATE: &str = "{sha256-checksum}"; ++const MAX_UNPACK_SIZE: u64 = 512 * 1024 * 1024; + + /// A "source" for a local (see `local::LocalRegistry`) or remote (see + /// `remote::RemoteRegistry`) registry. +@@ -615,6 +618,7 @@ impl<'cfg> RegistrySource<'cfg> { + } + } + let gz = GzDecoder::new(tarball); ++ let gz = LimitErrorReader::new(gz, MAX_UNPACK_SIZE); + let mut tar = Archive::new(gz); + let prefix = unpack_dir.file_name().unwrap(); + let parent = unpack_dir.parent().unwrap(); +diff --git a/src/tools/cargo/src/cargo/util/io.rs b/src/tools/cargo/src/cargo/util/io.rs +new file mode 100644 +index 0000000000..f62672db03 +--- /dev/null ++++ b/src/tools/cargo/src/cargo/util/io.rs +@@ -0,0 +1,27 @@ ++use std::io::{self, Read, Take}; ++ ++#[derive(Debug)] ++pub struct LimitErrorReader<R> { ++ inner: Take<R>, ++} ++ ++impl<R: Read> LimitErrorReader<R> { ++ pub fn new(r: R, limit: u64) -> LimitErrorReader<R> { ++ LimitErrorReader { ++ inner: r.take(limit), ++ } ++ } ++} ++ ++impl<R: Read> Read for LimitErrorReader<R> { ++ fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> { ++ match self.inner.read(buf) { ++ Ok(0) if self.inner.limit() == 0 => Err(io::Error::new( ++ io::ErrorKind::Other, ++ "maximum limit reached when reading", ++ )), ++ e => e, ++ } ++ } ++} ++ +diff --git a/src/tools/cargo/src/cargo/util/mod.rs b/src/tools/cargo/src/cargo/util/mod.rs +index 28f685c209..47bbf37aad 100644 +--- a/src/tools/cargo/src/cargo/util/mod.rs ++++ b/src/tools/cargo/src/cargo/util/mod.rs +@@ -14,6 +14,7 @@ pub use self::hasher::StableHasher; + pub use self::hex::{hash_u64, short_hash, to_hex}; + pub use self::into_url::IntoUrl; + pub use self::into_url_with_base::IntoUrlWithBase; ++pub(crate) use self::io::LimitErrorReader; + pub use self::lev_distance::{closest, closest_msg, lev_distance}; + pub use self::lockserver::{LockServer, LockServerClient, LockServerStarted}; + pub use self::progress::{Progress, ProgressStyle}; +@@ -44,6 +45,7 @@ pub mod important_paths; + pub mod interning; + pub mod into_url; + mod into_url_with_base; ++mod io; + pub mod job; + pub mod lev_distance; + mod lockserver; diff --git a/dev-lang/rust/rust-1.63.0.ebuild b/dev-lang/rust/rust-1.63.0-r1.ebuild similarity index 99% rename from dev-lang/rust/rust-1.63.0.ebuild rename to dev-lang/rust/rust-1.63.0-r1.ebuild index 900816d560ac..6031ffd57528 100644 --- a/dev-lang/rust/rust-1.63.0.ebuild +++ b/dev-lang/rust/rust-1.63.0-r1.ebuild @@ -164,6 +164,8 @@ PATCHES=( "${FILESDIR}"/1.55.0-ignore-broken-and-non-applicable-tests.patch "${FILESDIR}"/1.62.1-musl-dynamic-linking.patch "${FILESDIR}"/1.61.0-gentoo-musl-target-specs.patch + "${FILESDIR}"/1.63.0-CVE-2022-36113.patch + "${FILESDIR}"/1.63.0-CVE-2022-36114.patch ) S="${WORKDIR}/${MY_P}-src"
