Summary: | <dev-lang/rust{-bin,}-1.58.1: race condition enabling symlink following | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Randy Barlow <randy> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gyakovlev, jstein, rust |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html | ||
Whiteboard: | B3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 824066, 831642 | ||
Bug Blocks: |
Description
Randy Barlow
2022-01-20 21:42:22 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41dff17ac8c7bb389805ac237ef084fe6780da06 commit 41dff17ac8c7bb389805ac237ef084fe6780da06 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-01-20 22:02:08 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-01-20 22:02:18 +0000 virtual/rust: add 1.58.1 Bug: https://bugs.gentoo.org/831638 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> virtual/rust/rust-1.58.1.ebuild | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2e6d0b803a47654dd15ff1a79fc8d26982472fc commit a2e6d0b803a47654dd15ff1a79fc8d26982472fc Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-01-20 22:01:51 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-01-20 22:02:17 +0000 dev-lang/rust-bin: add 1.58.1 Bug: https://bugs.gentoo.org/831638 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust-bin/Manifest | 33 +++++ dev-lang/rust-bin/rust-bin-1.58.1.ebuild | 214 +++++++++++++++++++++++++++++++ 2 files changed, 247 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c03f0410ab91dd47fed65113350654e15b2811b6 commit c03f0410ab91dd47fed65113350654e15b2811b6 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-01-20 21:59:06 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-01-20 22:02:17 +0000 dev-lang/rust: add 1.58.1 Bug: https://bugs.gentoo.org/831638 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust/Manifest | 2 + dev-lang/rust/metadata.xml | 1 + dev-lang/rust/rust-1.58.1.ebuild | 704 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 707 insertions(+) CVE-2022-21658: The Rust Security Response WG was notified that the std::fs::remove_dir_all standard library function is vulnerable to a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Please cleanup when ready, thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e3b84dd5e01c54a20d60954fc29ccff9abe0871 commit 2e3b84dd5e01c54a20d60954fc29ccff9abe0871 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-01-22 01:21:48 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-01-22 01:22:32 +0000 profiles: mask vulnerable rust versions (and seamonkey) Bug: https://bugs.gentoo.org/831638 Bug: https://bugs.gentoo.org/821157 Bug: https://bugs.gentoo.org/824066 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> profiles/package.mask | 12 ++++++++++++ 1 file changed, 12 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c373dd540306f0f2e4846f204bcd1a9a58b2d78 commit 7c373dd540306f0f2e4846f204bcd1a9a58b2d78 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-01-29 05:51:28 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-01-29 05:53:08 +0000 profiles: drop seamonkey mask now it's been bumped Bug: https://bugs.gentoo.org/831638 Bug: https://bugs.gentoo.org/821157 Bug: https://bugs.gentoo.org/824066 Bug: https://bugs.gentoo.org/831977 Bug: https://bugs.gentoo.org/828479 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86f377d22c2cc041d32b53f444f6c32aebd909a4 commit 86f377d22c2cc041d32b53f444f6c32aebd909a4 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-01-29 17:04:25 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-01-29 17:06:53 +0000 dev-lang/rust: drop versions leaving mask in place for another couple of week to encourage updating Bug: https://bugs.gentoo.org/821157 Bug: https://bugs.gentoo.org/831638 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust/Manifest | 172 ----- ....0-ignore-broken-and-non-applicable-tests.patch | 75 --- dev-lang/rust/files/1.53.0-miri-vergen.patch | 53 -- dev-lang/rust/files/1.53.0-rustversion-1.0.5.patch | 234 ------- dev-lang/rust/files/1.54.0-parallel-miri.patch | 43 -- dev-lang/rust/files/1.57.0-selfbootstrap.patch | 56 -- dev-lang/rust/rust-1.53.0.ebuild | 684 -------------------- dev-lang/rust/rust-1.54.0.ebuild | 684 -------------------- dev-lang/rust/rust-1.55.0.ebuild | 683 -------------------- dev-lang/rust/rust-1.56.1.ebuild | 686 -------------------- dev-lang/rust/rust-1.57.0.ebuild | 687 -------------------- dev-lang/rust/rust-1.58.0.ebuild | 699 --------------------- 12 files changed, 4756 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ace2f2b764c11136772b099d485a0a868c7dc1f1 commit ace2f2b764c11136772b099d485a0a868c7dc1f1 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-01-29 17:02:58 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-01-29 17:06:22 +0000 dev-lang/rust-bin: drop versions Bug: https://bugs.gentoo.org/821157 Bug: https://bugs.gentoo.org/831638 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust-bin/Manifest | 195 ---------------------------- dev-lang/rust-bin/rust-bin-1.53.0.ebuild | 192 --------------------------- dev-lang/rust-bin/rust-bin-1.54.0.ebuild | 192 --------------------------- dev-lang/rust-bin/rust-bin-1.55.0.ebuild | 192 --------------------------- dev-lang/rust-bin/rust-bin-1.56.1.ebuild | 214 ------------------------------- dev-lang/rust-bin/rust-bin-1.57.0.ebuild | 214 ------------------------------- dev-lang/rust-bin/rust-bin-1.58.0.ebuild | 214 ------------------------------- 7 files changed, 1413 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=074e38995738dc175b7150d76709d369e0a55ef7 commit 074e38995738dc175b7150d76709d369e0a55ef7 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-01-29 17:02:41 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-01-29 17:06:17 +0000 virtual/rust: drop versions Bug: https://bugs.gentoo.org/821157 Bug: https://bugs.gentoo.org/831638 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> virtual/rust/rust-1.53.0-r1.ebuild | 19 ------------------- virtual/rust/rust-1.54.0.ebuild | 19 ------------------- virtual/rust/rust-1.55.0.ebuild | 19 ------------------- virtual/rust/rust-1.56.1.ebuild | 19 ------------------- virtual/rust/rust-1.57.0.ebuild | 19 ------------------- virtual/rust/rust-1.58.0.ebuild | 19 ------------------- 6 files changed, 114 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e51e1255a559bb11b72416a98c4a6422f5d2871 commit 7e51e1255a559bb11b72416a98c4a6422f5d2871 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-01-29 17:01:28 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-01-29 17:05:47 +0000 sys-devel/rust-std: drop 1.53.0, 1.54.0, 1.55.0, 1.56.1, 1.58.0 Bug: https://bugs.gentoo.org/821157 Bug: https://bugs.gentoo.org/831638 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> sys-devel/rust-std/Manifest | 5 - sys-devel/rust-std/rust-std-1.53.0.ebuild | 154 ----------------------------- sys-devel/rust-std/rust-std-1.54.0.ebuild | 154 ----------------------------- sys-devel/rust-std/rust-std-1.55.0.ebuild | 154 ----------------------------- sys-devel/rust-std/rust-std-1.56.1.ebuild | 154 ----------------------------- sys-devel/rust-std/rust-std-1.58.0.ebuild | 155 ------------------------------ 6 files changed, 776 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef741792c06ad55d37e1477ad74f3d8fc3fcd64f commit ef741792c06ad55d37e1477ad74f3d8fc3fcd64f Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2022-02-19 13:40:28 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2022-02-19 13:44:49 +0000 www-client/seamonkey: drop 2.53.9.1-r1 Bug: https://bugs.gentoo.org/831638 Bug: https://bugs.gentoo.org/821157 Bug: https://bugs.gentoo.org/824066 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> profiles/package.mask | 12 - www-client/seamonkey/Manifest | 4 - www-client/seamonkey/seamonkey-2.53.9.1-r1.ebuild | 557 ---------------------- 3 files changed, 573 deletions(-) GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=cda5f646cd9bc370223b79be59deee389a0caeef commit cda5f646cd9bc370223b79be59deee389a0caeef Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-16 14:43:11 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 14:45:25 +0000 [ GLSA 202210-09 ] Rust: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/782367 Bug: https://bugs.gentoo.org/807052 Bug: https://bugs.gentoo.org/821157 Bug: https://bugs.gentoo.org/831638 Bug: https://bugs.gentoo.org/870166 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-09.xml | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) GLSA released, all done! |