!136 Fix CVE-2022-36113, CVE-2022-36114

From: @starlet-dx 
Reviewed-by: @wk333 
Signed-off-by: @wk333

CVE-2021-29922.patch

@@ -0,0 +1,108 @@
+From 974192cd98b3efca8e5cd293f641f561e7487b30 Mon Sep 17 00:00:00 2001
+From: Cheng XU <git@xuc.me>
+Date: Tue, 30 Mar 2021 10:24:23 +0800
+Subject: [PATCH] Disallow octal format in Ipv4 string
+
+In its original specification, leading zero in Ipv4 string is interpreted
+as octal literals. So a IP address 0127.0.0.1 actually means 87.0.0.1.
+
+This confusion can lead to many security vulnerabilities. Therefore, in
+[IETF RFC 6943], it suggests to disallow octal/hexadecimal format in Ipv4
+string all together.
+
+Existing implementation already disallows hexadecimal numbers. This commit
+makes Parser reject octal numbers.
+
+Fixes #83648.
+
+[IETF RFC 6943]: https://tools.ietf.org/html/rfc6943#section-3.1.1
+---
+ library/std/src/net/ip.rs           |  2 ++
+ library/std/src/net/parser.rs       | 14 +++++++++++++-
+ library/std/src/net/parser/tests.rs |  8 ++++++++
+ 3 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/library/std/src/net/ip.rs b/library/std/src/net/ip.rs
+index 2aa305d7f831e..7f8c33dac561f 100644
+--- a/library/std/src/net/ip.rs
++++ b/library/std/src/net/ip.rs
+@@ -67,7 +67,9 @@ pub enum IpAddr {
+ ///
+ /// `Ipv4Addr` provides a [`FromStr`] implementation. The four octets are in decimal
+ /// notation, divided by `.` (this is called "dot-decimal notation").
++/// Notably, octal numbers and hexadecimal numbers are not allowed per [IETF RFC 6943].
+ ///
++/// [IETF RFC 6943]: https://tools.ietf.org/html/rfc6943#section-3.1.1
+ /// [`FromStr`]: crate::str::FromStr
+ ///
+ /// # Examples
+diff --git a/library/std/src/net/parser.rs b/library/std/src/net/parser.rs
+index 7064ed3ed236d..88a8cb76befbf 100644
+--- a/library/std/src/net/parser.rs
++++ b/library/std/src/net/parser.rs
+@@ -67,6 +67,11 @@ impl<'a> Parser<'a> {
+         if self.state.is_empty() { result } else { None }.ok_or(AddrParseError(()))
+     }
+ 
++    /// Peek the next character from the input
++    fn peek_char(&self) -> Option<char> {
++        self.state.first().map(|&b| char::from(b))
++    }
++
+     /// Read the next character from the input
+     fn read_char(&mut self) -> Option<char> {
+         self.state.split_first().map(|(&b, tail)| {
+@@ -132,7 +137,14 @@ impl<'a> Parser<'a> {
+             let mut groups = [0; 4];
+ 
+             for (i, slot) in groups.iter_mut().enumerate() {
+-                *slot = p.read_separator('.', i, |p| p.read_number(10, None))?;
++                *slot = p.read_separator('.', i, |p| {
++                    // Disallow octal number in IP string.
++                    // https://tools.ietf.org/html/rfc6943#section-3.1.1
++                    match (p.peek_char(), p.read_number(10, None)) {
++                        (Some('0'), Some(number)) if number != 0 => None,
++                        (_, number) => number,
++                    }
++                })?;
+             }
+ 
+             Some(groups.into())
+diff --git a/library/std/src/net/parser/tests.rs b/library/std/src/net/parser/tests.rs
+index 8d8889cd19d36..6d2d48ecad02f 100644
+--- a/library/std/src/net/parser/tests.rs
++++ b/library/std/src/net/parser/tests.rs
+@@ -8,11 +8,15 @@ const SCOPE_ID: u32 = 1337;
+ const IPV4: Ipv4Addr = Ipv4Addr::new(192, 168, 0, 1);
+ const IPV4_STR: &str = "192.168.0.1";
+ const IPV4_STR_PORT: &str = "192.168.0.1:8080";
++const IPV4_STR_WITH_OCTAL: &str = "0127.0.0.1";
++const IPV4_STR_WITH_HEX: &str = "0x10.0.0.1";
+ 
+ const IPV6: Ipv6Addr = Ipv6Addr::new(0x2001, 0xdb8, 0, 0, 0, 0, 0xc0a8, 0x1);
+ const IPV6_STR_FULL: &str = "2001:db8:0:0:0:0:c0a8:1";
+ const IPV6_STR_COMPRESS: &str = "2001:db8::c0a8:1";
+ const IPV6_STR_V4: &str = "2001:db8::192.168.0.1";
++const IPV6_STR_V4_WITH_OCTAL: &str = "2001:db8::0127.0.0.1";
++const IPV6_STR_V4_WITH_HEX: &str = "2001:db8::0x10.0.0.1";
+ const IPV6_STR_PORT: &str = "[2001:db8::c0a8:1]:8080";
+ const IPV6_STR_PORT_SCOPE_ID: &str = "[2001:db8::c0a8:1%1337]:8080";
+ 
+@@ -22,6 +26,8 @@ fn parse_ipv4() {
+     assert_eq!(result, IPV4);
+ 
+     assert!(Ipv4Addr::from_str(IPV4_STR_PORT).is_err());
++    assert!(Ipv4Addr::from_str(IPV4_STR_WITH_OCTAL).is_err());
++    assert!(Ipv4Addr::from_str(IPV4_STR_WITH_HEX).is_err());
+     assert!(Ipv4Addr::from_str(IPV6_STR_FULL).is_err());
+     assert!(Ipv4Addr::from_str(IPV6_STR_COMPRESS).is_err());
+     assert!(Ipv4Addr::from_str(IPV6_STR_V4).is_err());
+@@ -39,6 +45,8 @@ fn parse_ipv6() {
+     let result: Ipv6Addr = IPV6_STR_V4.parse().unwrap();
+     assert_eq!(result, IPV6);
+ 
++    assert!(Ipv6Addr::from_str(IPV6_STR_V4_WITH_OCTAL).is_err());
++    assert!(Ipv6Addr::from_str(IPV6_STR_V4_WITH_HEX).is_err());
+     assert!(Ipv6Addr::from_str(IPV4_STR).is_err());
+     assert!(Ipv6Addr::from_str(IPV4_STR_PORT).is_err());
+     assert!(Ipv6Addr::from_str(IPV6_STR_PORT).is_err());

CVE-2022-36113.patch

@@ -0,0 +1,54 @@
+Refer: 
+https://github.com/rust-lang/cargo/commit/15f1e4b0bf4b4fc20369e0a85d9b77957c4dd52a
+https://build.opensuse.org/package/show/SUSE:SLE-15-SP3:Update/rust1.62
+
+From 15f1e4b0bf4b4fc20369e0a85d9b77957c4dd52a Mon Sep 17 00:00:00 2001
+From: Josh Triplett <josh@joshtriplett.org>
+Date: Thu, 18 Aug 2022 17:17:19 +0200
+Subject: [PATCH] CVE-2022-36113: avoid unpacking .cargo-ok from the crate
+
+---
+ src/tools/cargo/src/cargo/sources/registry/mod.rs | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs
+index 3142e71..5357e9c 100644
+--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs
++++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs
+@@ -607,6 +607,13 @@ impl<'cfg> RegistrySource<'cfg> {
+                     prefix
+                 )
+             }
++            // Prevent unpacking the lockfile from the crate itself.
++            if entry_path
++                .file_name()
++                .map_or(false, |p| p == PACKAGE_SOURCE_LOCK)
++            {
++                continue;
++            }
+             // Unpacking failed
+             let mut result = entry.unpack_in(parent).map_err(anyhow::Error::from);
+             if cfg!(windows) && restricted_names::is_windows_reserved_path(&entry_path) {
+@@ -621,16 +628,15 @@ impl<'cfg> RegistrySource<'cfg> {
+             result.chain_err(|| format!("failed to unpack entry at `{}`", entry_path.display()))?;
+         }
+ 
+-        // The lock file is created after unpacking so we overwrite a lock file
+-        // which may have been extracted from the package.
++        // Now that we've finished unpacking, create and write to the lock file to indicate that
++        // unpacking was successful.
+         let mut ok = OpenOptions::new()
+-            .create(true)
++            .create_new(true)
+             .read(true)
+             .write(true)
+             .open(&path)
+             .chain_err(|| format!("failed to open `{}`", path.display()))?;
+ 
+-        // Write to the lock file to indicate that unpacking was successful.
+         write!(ok, "ok")?;
+ 
+         Ok(unpack_dir.to_path_buf())
+-- 
+2.27.0
+

CVE-2022-36114.patch

@@ -0,0 +1,107 @@
+Refer: 
+https://github.com/rust-lang/cargo/commit/2b68d3c07a4a056264dc006ecb9f1354a0679cd3
+https://build.opensuse.org/package/show/SUSE:SLE-15-SP3:Update/rust1.62
+
+From 2b68d3c07a4a056264dc006ecb9f1354a0679cd3 Mon Sep 17 00:00:00 2001
+From: Josh Triplett <josh@joshtriplett.org>
+Date: Thu, 18 Aug 2022 17:45:45 +0200
+Subject: [PATCH] CVE-2022-36114: limit the maximum unpacked size of a crate to
+ 512MB
+
+This gives users of custom registries the same protections, using the
+same size limit that crates.io uses.
+
+`LimitErrorReader` code copied from crates.io.
+
+---
+ .../cargo/src/cargo/sources/registry/mod.rs   |  4 ++-
+ src/tools/cargo/src/cargo/util/io.rs          | 27 +++++++++++++++++++
+ src/tools/cargo/src/cargo/util/mod.rs         |  2 ++
+ 3 files changed, 32 insertions(+), 1 deletion(-)
+ create mode 100644 src/tools/cargo/src/cargo/util/io.rs
+
+diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs
+index 5357e9c..e2028d5 100644
+--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs
++++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs
+@@ -179,7 +179,7 @@ use crate::util::errors::CargoResultExt;
+ use crate::util::hex;
+ use crate::util::interning::InternedString;
+ use crate::util::into_url::IntoUrl;
+-use crate::util::{restricted_names, CargoResult, Config, Filesystem};
++use crate::util::{restricted_names, CargoResult, Config, Filesystem, LimitErrorReader};
+ 
+ const PACKAGE_SOURCE_LOCK: &str = ".cargo-ok";
+ pub const CRATES_IO_INDEX: &str = "https://github.com/rust-lang/crates.io-index";
+@@ -188,6 +188,7 @@ const CRATE_TEMPLATE: &str = "{crate}";
+ const VERSION_TEMPLATE: &str = "{version}";
+ const PREFIX_TEMPLATE: &str = "{prefix}";
+ const LOWER_PREFIX_TEMPLATE: &str = "{lowerprefix}";
++const MAX_UNPACK_SIZE: u64 = 512 * 1024 * 1024;
+ 
+ /// A "source" for a [local](local::LocalRegistry) or
+ /// [remote](remote::RemoteRegistry) registry.
+@@ -583,6 +584,7 @@ impl<'cfg> RegistrySource<'cfg> {
+             }
+         }
+         let gz = GzDecoder::new(tarball);
++        let gz = LimitErrorReader::new(gz, MAX_UNPACK_SIZE);
+         let mut tar = Archive::new(gz);
+         let prefix = unpack_dir.file_name().unwrap();
+         let parent = unpack_dir.parent().unwrap();
+diff --git a/src/tools/cargo/src/cargo/util/io.rs b/src/tools/cargo/src/cargo/util/io.rs
+new file mode 100644
+index 0000000..f62672d
+--- /dev/null
++++ b/src/tools/cargo/src/cargo/util/io.rs
+@@ -0,0 +1,27 @@
++use std::io::{self, Read, Take};
++
++#[derive(Debug)]
++pub struct LimitErrorReader<R> {
++    inner: Take<R>,
++}
++
++impl<R: Read> LimitErrorReader<R> {
++    pub fn new(r: R, limit: u64) -> LimitErrorReader<R> {
++        LimitErrorReader {
++            inner: r.take(limit),
++        }
++    }
++}
++
++impl<R: Read> Read for LimitErrorReader<R> {
++    fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
++        match self.inner.read(buf) {
++            Ok(0) if self.inner.limit() == 0 => Err(io::Error::new(
++                io::ErrorKind::Other,
++                "maximum limit reached when reading",
++            )),
++            e => e,
++        }
++    }
++}
++
+diff --git a/src/tools/cargo/src/cargo/util/mod.rs b/src/tools/cargo/src/cargo/util/mod.rs
+index f0408d2..9e5f83e 100644
+--- a/src/tools/cargo/src/cargo/util/mod.rs
++++ b/src/tools/cargo/src/cargo/util/mod.rs
+@@ -13,6 +13,7 @@ pub use self::hasher::StableHasher;
+ pub use self::hex::{hash_u64, short_hash, to_hex};
+ pub use self::into_url::IntoUrl;
+ pub use self::into_url_with_base::IntoUrlWithBase;
++pub(crate) use self::io::LimitErrorReader;
+ pub use self::lev_distance::{closest, closest_msg, lev_distance};
+ pub use self::lockserver::{LockServer, LockServerClient, LockServerStarted};
+ pub use self::paths::{bytes2path, dylib_path, join_paths, path2bytes};
+@@ -46,6 +47,7 @@ pub mod important_paths;
+ pub mod interning;
+ pub mod into_url;
+ mod into_url_with_base;
++mod io;
+ pub mod job;
+ pub mod lev_distance;
+ mod lockserver;
+-- 
+2.27.0
+

CVE-2024-24577.patch

@@ -0,0 +1,51 @@
+From eb4c1716cd92bf56f2770653a915d5fc01eab8f3 Mon Sep 17 00:00:00 2001
+From: Edward Thomson <ethomson@edwardthomson.com>
+Date: Sat, 16 Dec 2023 11:19:07 +0000
+Subject: [PATCH] index: correct index has_dir_name check
+
+Origin: https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3
+
+`has_dir_name` is used to check for directory/file collisions,
+and attempts to determine whether the index contains a file with
+a directory name that is a proper subset of the new index entry
+that we're trying to add.
+
+To determine directory name, the function would walk the path string
+backwards to identify a `/`, stopping at the end of the string. However,
+the function assumed that the strings did not start with a `/`. If the
+paths contain only a single `/` at the beginning of the string, then the
+function would continue the loop, erroneously, when they should have
+stopped at the first character.
+
+Correct the order of the tests to terminate properly.
+
+Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
+
+---
+ vendor/libgit2-sys/libgit2/src/index.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/libgit2-sys/libgit2/src/index.c b/vendor/libgit2-sys/libgit2/src/index.c
+index 7ebe075..7862273 100644
+--- a/vendor/libgit2-sys/libgit2/src/index.c
++++ b/vendor/libgit2-sys/libgit2/src/index.c
+@@ -1155,10 +1155,14 @@ static int has_dir_name(git_index *index,
+ 		size_t len, pos;
+ 
+ 		for (;;) {
+-			if (*--slash == '/')
+-				break;
++			slash--;
++
+ 			if (slash <= entry->path)
+ 				return 0;
++
++
++			if (*slash == '/')
++				break;
+ 		}
+ 		len = slash - name;
+ 
+-- 
+2.23.0
+

fix-rustdoc-error-info.patch

@@ -0,0 +1,39 @@
+From c2b79c6142da1a757f9b4a0b58883e39aade779c Mon Sep 17 00:00:00 2001
+From: caodongxia <315816521@qq.com>
+Date: Tue, 24 Aug 2021 09:11:28 +0800
+Subject: [PATCH] fix rustdoc error info
+
+---
+ compiler/rustc_session/src/config.rs        | 2 +-
+ vendor/rustc-ap-rustc_session/src/config.rs | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/compiler/rustc_session/src/config.rs b/compiler/rustc_session/src/config.rs
+index a6d4dcb34..ab8ef7a3c 100644
+--- a/compiler/rustc_session/src/config.rs
++++ b/compiler/rustc_session/src/config.rs
+@@ -891,7 +891,7 @@ pub fn build_target_config(opts: &Options, target_override: Option<Target>) -> T
+             opts.error_format,
+             &format!(
+                 "Error loading target specification: {}. \
+-            Use `--print target-list` for a list of built-in targets",
++            Use `rustc --print target-list` for a list of built-in targets",
+                 e
+             ),
+         )
+diff --git a/vendor/rustc-ap-rustc_session/src/config.rs b/vendor/rustc-ap-rustc_session/src/config.rs
+index 9d73c3b44..223e4eead 100644
+--- a/vendor/rustc-ap-rustc_session/src/config.rs
++++ b/vendor/rustc-ap-rustc_session/src/config.rs
+@@ -891,7 +891,7 @@ pub fn build_target_config(opts: &Options, target_override: Option<Target>) -> T
+             opts.error_format,
+             &format!(
+                 "Error loading target specification: {}. \
+-            Use `--print target-list` for a list of built-in targets",
++            Use `rustc --print target-list` for a list of built-in targets",
+                 e
+             ),
+         )
+-- 
+2.27.0
+

rust.spec

@@ -12,7 +12,7 @@
 %bcond_without lldb
 Name:                rust
 Version:             1.51.0
-Release:             4
+Release:             8
 Summary:             The Rust Programming Language
 License:             (ASL 2.0 or MIT) and (BSD and MIT)
 URL:                 https://www.rust-lang.org
@@ -38,6 +38,11 @@ Patch0009:           rustc-1.51.0-disable-http2.patch
 Patch0010:           clippy-driver-usage-should-user-friendly.patch
 Patch0011:           cargo-help-clippy-should-have-description-to-user.patch
 Patch0012:           fix-a-println-wrong-format.patch
+Patch0013:           CVE-2021-29922.patch
+Patch0014:           fix-rustdoc-error-info.patch
+Patch0015:           CVE-2024-24577.patch
+Patch3000:           CVE-2022-36113.patch
+Patch3001:           CVE-2022-36114.patch
 %{lua: function rust_triple(arch)
   local abi = "gnu"
   if arch == "armv7hl" then
@@ -260,6 +265,11 @@ mkdir -p src/llvm-project/libunwind/
 %patch0010 -p1
 %patch0011 -p1
 %patch0012 -p1
+%patch0013 -p1
+%patch0014 -p1
+%patch0015 -p1
+%patch3000 -p1
+%patch3001 -p1
 rm -rf vendor/curl-sys/curl/
 rm -rf vendor/jemalloc-sys/jemalloc/
 rm -rf vendor/libssh2-sys/libssh2/
@@ -465,13 +475,28 @@ export %{rust_env}
 %{_mandir}/man1/cargo*.1*
 
 %changelog
-* Thu 24 Jun 2021 sunguoshuai <sunguoshuai@huawei.com> - 1.51.0-4
+* Thu Jun 27 2024 wangkai <13474090681@163.com> - 1.51.0-8
+- Fix CVE-2022-36113,  CVE-2022-36114
+
+* Fri Mar 15 2024 huangwenhua <huangwenhua@kylinos.cn> - 1.51.0-7
+- Fix spec wrong changlog date format
+
+* Sat Feb 17 2024 wangkai <13474090681@163.com> - 1.51.0-7
+- Fix CVE-2024-24577
+
+* Tue Aug 24 2021 caodongxia <caodongxia@huawei.com> - 1.51.0-6
+- Fix rustdoc error info
+
+* Wed Aug 18 2021 yaoxin <yaoxin30@huawei.com> - 1.51.0-5
+- fix CVE-2021-29922
+
+* Thu Jun 24 2021 sunguoshuai <sunguoshuai@huawei.com> - 1.51.0-4
 - fix a println wrong format
 
-* Thu 24 Jun 2021 sunguoshuai <sunguoshuai@huawei.com> - 1.51.0-3
+* Thu Jun 24 2021 sunguoshuai <sunguoshuai@huawei.com> - 1.51.0-3
 - cargo help clippy should have description to user
 
-* Wed 23 Jun 2021 sunguoshuai <sunguoshuai@huawei.com> - 1.51.0-2
+* Wed Jun 23 2021 sunguoshuai <sunguoshuai@huawei.com> - 1.51.0-2
 - clippy-driver usage should user friendly
 
 * Fri May 07 2021 wangyue <wangyue92@huawei.com> - 1.51.0-1