Hi, The Rust standard library has a vulnerability (Buffer Overflow) which has corrected in 1.22.0.
OpenBSD 6.2 ships a vulnerable version (1.20.0). Others OpenBSD versions are fine (6.3: 1.24.0 / -current: 1.28.0). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000657 https://github.com/rust-lang/rust/issues/44800 https://github.com/rust-lang/rust/commit/f71b37bc28326e272a37b938e835d4f99113eec2 I am unsure if we should patch it or not: the sole real customer for lang/rust is firefox, and you don't want to run a such old version actually. But as the fix is trivial, I prefer provide a patch, but it is untested: I don't have access to OPENBSD_6_2 to test the build. I hope rustbuild will be kind and don't rerandomize the filenames (else PLISTs would be wrong). So below are two patches: - one for devel/quirks for reporting the issue on 'rust-<1.22' - one for lang/rust, against OPENBSD_6_2 branch, if someone is able to test the build, to fix it Thanks. -- Sebastien Marie Index: devel/quirks/files/Quirks.pm =================================================================== RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v retrieving revision 1.626 diff -u -p -r1.626 Quirks.pm --- devel/quirks/files/Quirks.pm 14 Aug 2018 18:48:15 -0000 1.626 +++ devel/quirks/files/Quirks.pm 23 Aug 2018 08:15:07 -0000 @@ -1147,6 +1147,7 @@ my $cve = { 'audio/flac' => 'flac-<1.3.0p1', 'devel/pcre' => 'pcre-<8.38', 'graphics/tiff' => 'tiff-<4.0.4beta', + 'lang/rust' => 'rust-<1.22', 'mail/exim' => 'exim-<4.83', 'net/lldpd' => 'lldpd-<0.7.18p0', 'net/ntp' => 'ntp-<4.2.8pl7', Index: lang/rust/Makefile =================================================================== RCS file: /cvs/ports/lang/rust/Makefile,v retrieving revision 1.51 diff -u -p -r1.51 Makefile --- lang/rust/Makefile 3 Sep 2017 14:08:36 -0000 1.51 +++ lang/rust/Makefile 23 Aug 2018 08:38:01 -0000 @@ -11,6 +11,7 @@ COMMENT-doc = html documentation for ru V = 1.20.0 CARGO_V = 0.21.0 DISTNAME = rustc-${V}-src +REVISION = 0 # rustc bootstrap version BV-amd64 = 1.20.0-20170829 Index: lang/rust/patches/patch-src_liballoc_vec_deque_rs =================================================================== RCS file: lang/rust/patches/patch-src_liballoc_vec_deque_rs diff -N lang/rust/patches/patch-src_liballoc_vec_deque_rs --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ lang/rust/patches/patch-src_liballoc_vec_deque_rs 23 Aug 2018 08:41:29 -0000 @@ -0,0 +1,15 @@ +$OpenBSD$ +Backport of issue #44800 CVE-2018-1000657 +https://github.com/rust-lang/rust/commit/f71b37bc28326e272a37b938e835d4f99113eec2 +Index: src/liballoc/vec_deque.rs +--- src/liballoc/vec_deque.rs.orig ++++ src/liballoc/vec_deque.rs +@@ -556,7 +556,7 @@ impl<T> VecDeque<T> { + .and_then(|needed_cap| needed_cap.checked_next_power_of_two()) + .expect("capacity overflow"); + +- if new_cap > self.capacity() { ++ if new_cap > old_cap { + self.buf.reserve_exact(used_cap, new_cap - used_cap); + unsafe { + self.handle_cap_increase(old_cap);
