Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 751094

Summary: <dev-util/sccache-0.2.15: depends on vulnerable linked-hash-map crate
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: gyakovlev
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://rustsec.org/advisories/RUSTSEC-2020-0026.html
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-25 01:54:08 UTC 
See $URL for details. Maintainer(s), please advise if this package uses this package in a way that could trigger these vulnerabilities.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-25 02:00:23 UTC 
Looks like the dependency is on 0.5.3 on master.
Comment 2 Georgy Yakovlev archtester gentoo-dev 2020-10-25 04:20:32 UTC 
this needs investigation, however I think it's simpler just to patch the single line in existing crate/ebuild.
will do later.
Comment 3 Larry the Git Cow gentoo-dev 2021-02-25 23:47:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb7862c8eb684a4cf002f2ca861c19ddd1936786

commit eb7862c8eb684a4cf002f2ca861c19ddd1936786
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-02-25 23:45:31 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-02-25 23:46:52 +0000

    dev-util/sccache: bump to 0.2.15, ppc64 support
    
    Bug: https://bugs.gentoo.org/751094
    Bug: https://bugs.gentoo.org/766384
    Bug: https://bugs.gentoo.org/740878
    Bug: https://bugs.gentoo.org/711340
    Bug: https://bugs.gentoo.org/710202
    Closes: https://bugs.gentoo.org/750572
    Closes: https://bugs.gentoo.org/771843
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-util/sccache/Manifest              | 247 +++++++++++++++++
 dev-util/sccache/sccache-0.2.15.ebuild | 475 +++++++++++++++++++++++++++++++++
 2 files changed, 722 insertions(+)
Comment 4 Georgy Yakovlev archtester gentoo-dev 2021-02-25 23:49:45 UTC 
can be closed as soon as 0.2.13 is gone from the tree, it does not even build nowadays and is not stable, but let's give it couple of days.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-26 00:09:46 UTC 
(In reply to Georgy Yakovlev from comment #4)
> can be closed as soon as 0.2.13 is gone from the tree, it does not even
> build nowadays and is not stable, but let's give it couple of days.

Thanks!
Comment 6 Larry the Git Cow gentoo-dev 2021-07-24 06:09:22 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5bff254aaf27887ee76415a8964e390a0108636

commit b5bff254aaf27887ee76415a8964e390a0108636
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-07-24 06:08:57 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-07-24 06:08:57 +0000

    dev-util/sccache: drop 0.2.13
    
    Bug: https://bugs.gentoo.org/751094
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-util/sccache/Manifest              | 186 ----------------
 dev-util/sccache/sccache-0.2.13.ebuild | 390 ---------------------------------
 2 files changed, 576 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-24 06:12:45 UTC 
Thanks!