packages/rust
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:517b3a747b106975d6080d2eae9ec7e417d05a48
Branches Tags
packages:main
...
compare: packages:a3f446395c8b91687ac54ad7b06ba72814372d60
Branches Tags
packages:main

10 Commits
517b3a747b ... a3f446395c

Author SHA1 Message Date
openeuler-ci-bot
a3f446395c
!136 Fix CVE-2022-36113, CVE-2022-36114 
From: @starlet-dx 
Reviewed-by: @wk333 
Signed-off-by: @wk333
 2024-06-27 08:27:55 +00:00
wk333
93ef97409d Fix CVE-2022-36113, CVE-2022-36114 2024-06-27 16:27:22 +08:00
openeuler-ci-bot
a90b101472 !115 修复spec中changelog格式错误 
From: @disandai 
Reviewed-by: @wk333 
Signed-off-by: @wk333
 2024-03-18 07:28:45 +00:00
huangwenhua
4c634b80a1 Fix spec wrong changlog date format 2024-03-18 15:14:26 +08:00
openeuler-ci-bot
6b7d045068 !108 Fix CVE-2024-24577 
From: @starlet-dx 
Reviewed-by: @wk333 
Signed-off-by: @wk333
 2024-02-18 01:00:23 +00:00
wk333
61950d9f12 Fix CVE-2024-24577 2024-02-17 09:57:38 +08:00
openeuler-ci-bot
24af8945e6 !69 [sync] PR-46: [sync] PR-45: fix rustdoc error info 
From: @openeuler-sync-bot 
Reviewed-by: @jingxiaolu 
Signed-off-by: @jingxiaolu
 2022-03-23 10:52:15 +00:00
caodongxia
bb2bf5a5bc Fix rustdoc error info 
(cherry picked from commit c6809724d3e360d056014c13f624f92498be98b9)
(cherry picked from commit b77755b8e8ba133248b2b9fc89db03deb0a10b99)
 2022-03-22 11:31:12 +08:00
openeuler-ci-bot
fd3ff51e9f !38 fix CVE-2021-29922 
From: @starlet-dx
Reviewed-by: @jingxiaolu
Signed-off-by: @jingxiaolu
 2021-08-19 01:21:58 +00:00
starlet_dx
5eccce5c8a fix CVE-2021-29922 2021-08-18 11:37:58 +08:00
6 changed files with 388 additions and 4 deletions
Show Stats Expand all files Collapse all files

108
CVE-2021-29922.patch Normal file
View File

@ -0,0 +1,108 @@
From 974192cd98b3efca8e5cd293f641f561e7487b30 Mon Sep 17 00:00:00 2001
From: Cheng XU <git@xuc.me>
Date: Tue, 30 Mar 2021 10:24:23 +0800
Subject: [PATCH] Disallow octal format in Ipv4 string
In its original specification, leading zero in Ipv4 string is interpreted
as octal literals. So a IP address 0127.0.0.1 actually means 87.0.0.1.
This confusion can lead to many security vulnerabilities. Therefore, in
[IETF RFC 6943], it suggests to disallow octal/hexadecimal format in Ipv4
string all together.
Existing implementation already disallows hexadecimal numbers. This commit
makes Parser reject octal numbers.
Fixes #83648.
[IETF RFC 6943]: https://tools.ietf.org/html/rfc6943#section-3.1.1
---
library/std/src/net/ip.rs | 2 ++
library/std/src/net/parser.rs | 14 +++++++++++++-
library/std/src/net/parser/tests.rs | 8 ++++++++
3 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/library/std/src/net/ip.rs b/library/std/src/net/ip.rs
index 2aa305d7f831e..7f8c33dac561f 100644
--- a/library/std/src/net/ip.rs
+++ b/library/std/src/net/ip.rs
@@ -67,7 +67,9 @@ pub enum IpAddr {
///
/// `Ipv4Addr` provides a [`FromStr`] implementation. The four octets are in decimal
/// notation, divided by `.` (this is called "dot-decimal notation").
+/// Notably, octal numbers and hexadecimal numbers are not allowed per [IETF RFC 6943].
///
+/// [IETF RFC 6943]: https://tools.ietf.org/html/rfc6943#section-3.1.1
/// [`FromStr`]: crate::str::FromStr
///
/// # Examples
diff --git a/library/std/src/net/parser.rs b/library/std/src/net/parser.rs
index 7064ed3ed236d..88a8cb76befbf 100644
--- a/library/std/src/net/parser.rs
+++ b/library/std/src/net/parser.rs
@@ -67,6 +67,11 @@ impl<'a> Parser<'a> {
if self.state.is_empty() { result } else { None }.ok_or(AddrParseError(()))
}
+ /// Peek the next character from the input
+ fn peek_char(&self) -> Option<char> {
+ self.state.first().map(|&b| char::from(b))
+ }
+
/// Read the next character from the input
fn read_char(&mut self) -> Option<char> {
self.state.split_first().map(|(&b, tail)| {
@@ -132,7 +137,14 @@ impl<'a> Parser<'a> {
let mut groups = [0; 4];
for (i, slot) in groups.iter_mut().enumerate() {
- *slot = p.read_separator('.', i, |p| p.read_number(10, None))?;
+ *slot = p.read_separator('.', i, |p| {
+ // Disallow octal number in IP string.
+ // https://tools.ietf.org/html/rfc6943#section-3.1.1
+ match (p.peek_char(), p.read_number(10, None)) {
+ (Some('0'), Some(number)) if number != 0 => None,
+ (_, number) => number,
+ }
+ })?;
}
Some(groups.into())
diff --git a/library/std/src/net/parser/tests.rs b/library/std/src/net/parser/tests.rs
index 8d8889cd19d36..6d2d48ecad02f 100644
--- a/library/std/src/net/parser/tests.rs
+++ b/library/std/src/net/parser/tests.rs
@@ -8,11 +8,15 @@ const SCOPE_ID: u32 = 1337;
const IPV4: Ipv4Addr = Ipv4Addr::new(192, 168, 0, 1);
const IPV4_STR: &str = "192.168.0.1";
const IPV4_STR_PORT: &str = "192.168.0.1:8080";
+const IPV4_STR_WITH_OCTAL: &str = "0127.0.0.1";
+const IPV4_STR_WITH_HEX: &str = "0x10.0.0.1";
const IPV6: Ipv6Addr = Ipv6Addr::new(0x2001, 0xdb8, 0, 0, 0, 0, 0xc0a8, 0x1);
const IPV6_STR_FULL: &str = "2001:db8:0:0:0:0:c0a8:1";
const IPV6_STR_COMPRESS: &str = "2001:db8::c0a8:1";
const IPV6_STR_V4: &str = "2001:db8::192.168.0.1";
+const IPV6_STR_V4_WITH_OCTAL: &str = "2001:db8::0127.0.0.1";
+const IPV6_STR_V4_WITH_HEX: &str = "2001:db8::0x10.0.0.1";
const IPV6_STR_PORT: &str = "[2001:db8::c0a8:1]:8080";
const IPV6_STR_PORT_SCOPE_ID: &str = "[2001:db8::c0a8:1%1337]:8080";
@@ -22,6 +26,8 @@ fn parse_ipv4() {
assert_eq!(result, IPV4);
assert!(Ipv4Addr::from_str(IPV4_STR_PORT).is_err());
+ assert!(Ipv4Addr::from_str(IPV4_STR_WITH_OCTAL).is_err());
+ assert!(Ipv4Addr::from_str(IPV4_STR_WITH_HEX).is_err());
assert!(Ipv4Addr::from_str(IPV6_STR_FULL).is_err());
assert!(Ipv4Addr::from_str(IPV6_STR_COMPRESS).is_err());
assert!(Ipv4Addr::from_str(IPV6_STR_V4).is_err());
@@ -39,6 +45,8 @@ fn parse_ipv6() {
let result: Ipv6Addr = IPV6_STR_V4.parse().unwrap();
assert_eq!(result, IPV6);
+ assert!(Ipv6Addr::from_str(IPV6_STR_V4_WITH_OCTAL).is_err());
+ assert!(Ipv6Addr::from_str(IPV6_STR_V4_WITH_HEX).is_err());
assert!(Ipv6Addr::from_str(IPV4_STR).is_err());
assert!(Ipv6Addr::from_str(IPV4_STR_PORT).is_err());
assert!(Ipv6Addr::from_str(IPV6_STR_PORT).is_err());

54
CVE-2022-36113.patch Normal file
View File

@ -0,0 +1,54 @@
Refer:
https://github.com/rust-lang/cargo/commit/15f1e4b0bf4b4fc20369e0a85d9b77957c4dd52a
https://build.opensuse.org/package/show/SUSE:SLE-15-SP3:Update/rust1.62
From 15f1e4b0bf4b4fc20369e0a85d9b77957c4dd52a Mon Sep 17 00:00:00 2001
From: Josh Triplett <josh@joshtriplett.org>
Date: Thu, 18 Aug 2022 17:17:19 +0200
Subject: [PATCH] CVE-2022-36113: avoid unpacking .cargo-ok from the crate
---
src/tools/cargo/src/cargo/sources/registry/mod.rs | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs
index 3142e71..5357e9c 100644
--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs
+++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs
@@ -607,6 +607,13 @@ impl<'cfg> RegistrySource<'cfg> {
prefix
)
}
+ // Prevent unpacking the lockfile from the crate itself.
+ if entry_path
+ .file_name()
+ .map_or(false, |p| p == PACKAGE_SOURCE_LOCK)
+ {
+ continue;
+ }
// Unpacking failed
let mut result = entry.unpack_in(parent).map_err(anyhow::Error::from);
if cfg!(windows) && restricted_names::is_windows_reserved_path(&entry_path) {
@@ -621,16 +628,15 @@ impl<'cfg> RegistrySource<'cfg> {
result.chain_err(|| format!("failed to unpack entry at `{}`", entry_path.display()))?;
}
- // The lock file is created after unpacking so we overwrite a lock file
- // which may have been extracted from the package.
+ // Now that we've finished unpacking, create and write to the lock file to indicate that
+ // unpacking was successful.
let mut ok = OpenOptions::new()
- .create(true)
+ .create_new(true)
.read(true)
.write(true)
.open(&path)
.chain_err(|| format!("failed to open `{}`", path.display()))?;
- // Write to the lock file to indicate that unpacking was successful.
write!(ok, "ok")?;
Ok(unpack_dir.to_path_buf())
--
2.27.0

107
CVE-2022-36114.patch Normal file
View File

@ -0,0 +1,107 @@
Refer:
https://github.com/rust-lang/cargo/commit/2b68d3c07a4a056264dc006ecb9f1354a0679cd3
https://build.opensuse.org/package/show/SUSE:SLE-15-SP3:Update/rust1.62
From 2b68d3c07a4a056264dc006ecb9f1354a0679cd3 Mon Sep 17 00:00:00 2001
From: Josh Triplett <josh@joshtriplett.org>
Date: Thu, 18 Aug 2022 17:45:45 +0200
Subject: [PATCH] CVE-2022-36114: limit the maximum unpacked size of a crate to
512MB
This gives users of custom registries the same protections, using the
same size limit that crates.io uses.
`LimitErrorReader` code copied from crates.io.
---
.../cargo/src/cargo/sources/registry/mod.rs | 4 ++-
src/tools/cargo/src/cargo/util/io.rs | 27 +++++++++++++++++++
src/tools/cargo/src/cargo/util/mod.rs | 2 ++
3 files changed, 32 insertions(+), 1 deletion(-)
create mode 100644 src/tools/cargo/src/cargo/util/io.rs
diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs
index 5357e9c..e2028d5 100644
--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs
+++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs
@@ -179,7 +179,7 @@ use crate::util::errors::CargoResultExt;
use crate::util::hex;
use crate::util::interning::InternedString;
use crate::util::into_url::IntoUrl;
-use crate::util::{restricted_names, CargoResult, Config, Filesystem};
+use crate::util::{restricted_names, CargoResult, Config, Filesystem, LimitErrorReader};
const PACKAGE_SOURCE_LOCK: &str = ".cargo-ok";
pub const CRATES_IO_INDEX: &str = "https://github.com/rust-lang/crates.io-index";
@@ -188,6 +188,7 @@ const CRATE_TEMPLATE: &str = "{crate}";
const VERSION_TEMPLATE: &str = "{version}";
const PREFIX_TEMPLATE: &str = "{prefix}";
const LOWER_PREFIX_TEMPLATE: &str = "{lowerprefix}";
+const MAX_UNPACK_SIZE: u64 = 512 * 1024 * 1024;
/// A "source" for a [local](local::LocalRegistry) or
/// [remote](remote::RemoteRegistry) registry.
@@ -583,6 +584,7 @@ impl<'cfg> RegistrySource<'cfg> {
}
}
let gz = GzDecoder::new(tarball);
+ let gz = LimitErrorReader::new(gz, MAX_UNPACK_SIZE);
let mut tar = Archive::new(gz);
let prefix = unpack_dir.file_name().unwrap();
let parent = unpack_dir.parent().unwrap();
diff --git a/src/tools/cargo/src/cargo/util/io.rs b/src/tools/cargo/src/cargo/util/io.rs
new file mode 100644
index 0000000..f62672d
--- /dev/null
+++ b/src/tools/cargo/src/cargo/util/io.rs
@@ -0,0 +1,27 @@
+use std::io::{self, Read, Take};
+
+#[derive(Debug)]
+pub struct LimitErrorReader<R> {
+ inner: Take<R>,
+}
+
+impl<R: Read> LimitErrorReader<R> {
+ pub fn new(r: R, limit: u64) -> LimitErrorReader<R> {
+ LimitErrorReader {
+ inner: r.take(limit),
+ }
+ }
+}
+
+impl<R: Read> Read for LimitErrorReader<R> {
+ fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
+ match self.inner.read(buf) {
+ Ok(0) if self.inner.limit() == 0 => Err(io::Error::new(
+ io::ErrorKind::Other,
+ "maximum limit reached when reading",
+ )),
+ e => e,
+ }
+ }
+}
+
diff --git a/src/tools/cargo/src/cargo/util/mod.rs b/src/tools/cargo/src/cargo/util/mod.rs
index f0408d2..9e5f83e 100644
--- a/src/tools/cargo/src/cargo/util/mod.rs
+++ b/src/tools/cargo/src/cargo/util/mod.rs
@@ -13,6 +13,7 @@ pub use self::hasher::StableHasher;
pub use self::hex::{hash_u64, short_hash, to_hex};
pub use self::into_url::IntoUrl;
pub use self::into_url_with_base::IntoUrlWithBase;
+pub(crate) use self::io::LimitErrorReader;
pub use self::lev_distance::{closest, closest_msg, lev_distance};
pub use self::lockserver::{LockServer, LockServerClient, LockServerStarted};
pub use self::paths::{bytes2path, dylib_path, join_paths, path2bytes};
@@ -46,6 +47,7 @@ pub mod important_paths;
pub mod interning;
pub mod into_url;
mod into_url_with_base;
+mod io;
pub mod job;
pub mod lev_distance;
mod lockserver;
--
2.27.0

51
CVE-2024-24577.patch Normal file
View File

@ -0,0 +1,51 @@
From eb4c1716cd92bf56f2770653a915d5fc01eab8f3 Mon Sep 17 00:00:00 2001
From: Edward Thomson <ethomson@edwardthomson.com>
Date: Sat, 16 Dec 2023 11:19:07 +0000
Subject: [PATCH] index: correct index has_dir_name check
Origin: https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3
`has_dir_name` is used to check for directory/file collisions,
and attempts to determine whether the index contains a file with
a directory name that is a proper subset of the new index entry
that we're trying to add.
To determine directory name, the function would walk the path string
backwards to identify a `/`, stopping at the end of the string. However,
the function assumed that the strings did not start with a `/`. If the
paths contain only a single `/` at the beginning of the string, then the
function would continue the loop, erroneously, when they should have
stopped at the first character.
Correct the order of the tests to terminate properly.
Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
---
vendor/libgit2-sys/libgit2/src/index.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/vendor/libgit2-sys/libgit2/src/index.c b/vendor/libgit2-sys/libgit2/src/index.c
index 7ebe075..7862273 100644
--- a/vendor/libgit2-sys/libgit2/src/index.c
+++ b/vendor/libgit2-sys/libgit2/src/index.c
@@ -1155,10 +1155,14 @@ static int has_dir_name(git_index *index,
size_t len, pos;
for (;;) {
- if (*--slash == '/')
- break;
+ slash--;
+
if (slash <= entry->path)
return 0;
+
+
+ if (*slash == '/')
+ break;
}
len = slash - name;
--
2.23.0

39
fix-rustdoc-error-info.patch Normal file
View File

@ -0,0 +1,39 @@
From c2b79c6142da1a757f9b4a0b58883e39aade779c Mon Sep 17 00:00:00 2001
From: caodongxia <315816521@qq.com>
Date: Tue, 24 Aug 2021 09:11:28 +0800
Subject: [PATCH] fix rustdoc error info
---
compiler/rustc_session/src/config.rs | 2 +-
vendor/rustc-ap-rustc_session/src/config.rs | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/compiler/rustc_session/src/config.rs b/compiler/rustc_session/src/config.rs
index a6d4dcb34..ab8ef7a3c 100644
--- a/compiler/rustc_session/src/config.rs
+++ b/compiler/rustc_session/src/config.rs
@@ -891,7 +891,7 @@ pub fn build_target_config(opts: &Options, target_override: Option<Target>) -> T
opts.error_format,
&format!(
"Error loading target specification: {}. \
- Use `--print target-list` for a list of built-in targets",
+ Use `rustc --print target-list` for a list of built-in targets",
e
),
)
diff --git a/vendor/rustc-ap-rustc_session/src/config.rs b/vendor/rustc-ap-rustc_session/src/config.rs
index 9d73c3b44..223e4eead 100644
--- a/vendor/rustc-ap-rustc_session/src/config.rs
+++ b/vendor/rustc-ap-rustc_session/src/config.rs
@@ -891,7 +891,7 @@ pub fn build_target_config(opts: &Options, target_override: Option<Target>) -> T
opts.error_format,
&format!(
"Error loading target specification: {}. \
- Use `--print target-list` for a list of built-in targets",
+ Use `rustc --print target-list` for a list of built-in targets",
e
),
)
--
2.27.0

33
rust.spec
View File

@ -12,7 +12,7 @@
%bcond_without lldb %bcond_without lldb
Name: rust Name: rust
Version: 1.51.0 Version: 1.51.0
Release: 4 Release: 8
Summary: The Rust Programming Language Summary: The Rust Programming Language
License: (ASL 2.0 or MIT) and (BSD and MIT) License: (ASL 2.0 or MIT) and (BSD and MIT)
URL: https://www.rust-lang.org URL: https://www.rust-lang.org
@ -38,6 +38,11 @@ Patch0009: rustc-1.51.0-disable-http2.patch
Patch0010: clippy-driver-usage-should-user-friendly.patch Patch0010: clippy-driver-usage-should-user-friendly.patch
Patch0011: cargo-help-clippy-should-have-description-to-user.patch Patch0011: cargo-help-clippy-should-have-description-to-user.patch
Patch0012: fix-a-println-wrong-format.patch Patch0012: fix-a-println-wrong-format.patch
Patch0013: CVE-2021-29922.patch
Patch0014: fix-rustdoc-error-info.patch
Patch0015: CVE-2024-24577.patch
Patch3000: CVE-2022-36113.patch
Patch3001: CVE-2022-36114.patch
%{lua: function rust_triple(arch) %{lua: function rust_triple(arch)
local abi = "gnu" local abi = "gnu"
if arch == "armv7hl" then if arch == "armv7hl" then
@ -260,6 +265,11 @@ mkdir -p src/llvm-project/libunwind/
%patch0010 -p1 %patch0010 -p1
%patch0011 -p1 %patch0011 -p1
%patch0012 -p1 %patch0012 -p1
%patch0013 -p1
%patch0014 -p1
%patch0015 -p1
%patch3000 -p1
%patch3001 -p1
rm -rf vendor/curl-sys/curl/ rm -rf vendor/curl-sys/curl/
rm -rf vendor/jemalloc-sys/jemalloc/ rm -rf vendor/jemalloc-sys/jemalloc/
rm -rf vendor/libssh2-sys/libssh2/ rm -rf vendor/libssh2-sys/libssh2/
@ -465,13 +475,28 @@ export %{rust_env}
%{_mandir}/man1/cargo*.1* %{_mandir}/man1/cargo*.1*
%changelog %changelog
* Thu 24 Jun 2021 sunguoshuai <sunguoshuai@huawei.com> - 1.51.0-4 * Thu Jun 27 2024 wangkai <13474090681@163.com> - 1.51.0-8
- Fix CVE-2022-36113, CVE-2022-36114
* Fri Mar 15 2024 huangwenhua <huangwenhua@kylinos.cn> - 1.51.0-7
- Fix spec wrong changlog date format
* Sat Feb 17 2024 wangkai <13474090681@163.com> - 1.51.0-7
- Fix CVE-2024-24577
* Tue Aug 24 2021 caodongxia <caodongxia@huawei.com> - 1.51.0-6
- Fix rustdoc error info
* Wed Aug 18 2021 yaoxin <yaoxin30@huawei.com> - 1.51.0-5
- fix CVE-2021-29922
* Thu Jun 24 2021 sunguoshuai <sunguoshuai@huawei.com> - 1.51.0-4
- fix a println wrong format - fix a println wrong format
* Thu 24 Jun 2021 sunguoshuai <sunguoshuai@huawei.com> - 1.51.0-3 * Thu Jun 24 2021 sunguoshuai <sunguoshuai@huawei.com> - 1.51.0-3
- cargo help clippy should have description to user - cargo help clippy should have description to user
* Wed 23 Jun 2021 sunguoshuai <sunguoshuai@huawei.com> - 1.51.0-2 * Wed Jun 23 2021 sunguoshuai <sunguoshuai@huawei.com> - 1.51.0-2
- clippy-driver usage should user friendly - clippy-driver usage should user friendly
* Fri May 07 2021 wangyue <wangyue92@huawei.com> - 1.51.0-1 * Fri May 07 2021 wangyue <wangyue92@huawei.com> - 1.51.0-1