Summary: | <dev-lang/rust-1.63.0-r1 <dev-lang/rust-bin-1.64.0: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gyakovlev, rust |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 872560, 877005 | ||
Bug Blocks: |
Description
John Helmert III
2022-09-14 22:32:40 UTC
eh, I wanted 1.63.0 to be next stable. can no longer do due to -bin unfixable and does not look like there will be 1.63.1 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f36a42fed54e19b300f243f14523fc4267907426 commit f36a42fed54e19b300f243f14523fc4267907426 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-09-15 03:03:41 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-09-15 03:03:41 +0000 dev-lang/rust: revbump 1.63.0, add cargo security fixes Bug: https://bugs.gentoo.org/870166 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust/files/1.63.0-CVE-2022-36113.patch | 48 ++++++++++ dev-lang/rust/files/1.63.0-CVE-2022-36114.patch | 102 +++++++++++++++++++++ .../{rust-1.63.0.ebuild => rust-1.63.0-r1.ebuild} | 2 + 3 files changed, 152 insertions(+) Ah, thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c25a3d2937bd55112f65c9bb0899116306d16e0 commit 4c25a3d2937bd55112f65c9bb0899116306d16e0 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-09-23 20:04:37 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-09-23 20:05:46 +0000 dev-lang/rust: drop 1.59.0, 1.60.0, 1.61.0-r2, 1.62.0 Bug: https://bugs.gentoo.org/870166 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust/Manifest | 104 --- .../files/1.49.0-gentoo-musl-target-specs.patch | 164 ----- .../rust/files/1.61.0-llvm_addrspacecast.patch | 52 -- .../files/1.61.0-llvm_selectInterleaveCount.patch | 66 -- dev-lang/rust/files/1.61.0-miri-cow.patch | 98 --- dev-lang/rust/rust-1.59.0.ebuild | 707 -------------------- dev-lang/rust/rust-1.60.0.ebuild | 714 -------------------- dev-lang/rust/rust-1.61.0-r2.ebuild | 733 -------------------- dev-lang/rust/rust-1.62.0.ebuild | 737 --------------------- 9 files changed, 3375 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d7beced12a5daddbb6584f238c667fc80e6c11d commit 1d7beced12a5daddbb6584f238c667fc80e6c11d Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-09-23 20:00:42 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-09-23 20:05:40 +0000 dev-lang/rust-bin: drop 1.59.0, 1.60.0, 1.61.0, 1.62.0 Bug: https://bugs.gentoo.org/870166 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust-bin/Manifest | 134 ------------------- dev-lang/rust-bin/rust-bin-1.59.0.ebuild | 214 ----------------------------- dev-lang/rust-bin/rust-bin-1.60.0.ebuild | 219 ------------------------------ dev-lang/rust-bin/rust-bin-1.61.0.ebuild | 223 ------------------------------- dev-lang/rust-bin/rust-bin-1.62.0.ebuild | 221 ------------------------------ 5 files changed, 1011 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afad1a3097b154fd4195834c2778bcbf71cc2167 commit afad1a3097b154fd4195834c2778bcbf71cc2167 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-09-23 19:59:48 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-09-23 20:05:27 +0000 virtual/rust: drop 1.59.0, 1.60.0, 1.61.0, 1.62.0 Bug: https://bugs.gentoo.org/870166 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> virtual/rust/rust-1.59.0.ebuild | 19 ------------------- virtual/rust/rust-1.60.0.ebuild | 19 ------------------- virtual/rust/rust-1.61.0.ebuild | 19 ------------------- virtual/rust/rust-1.62.0.ebuild | 19 ------------------- 4 files changed, 76 deletions(-) Thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53f2e771432ee61187a0154f96250372f92d7712 commit 53f2e771432ee61187a0154f96250372f92d7712 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-10-13 17:40:47 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-10-13 17:41:02 +0000 dev-lang/rust: drop 1.62.1, 1.63.0-r1 Bug: https://bugs.gentoo.org/870166 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust/Manifest | 68 -- .../files/1.61.0-gentoo-musl-target-specs.patch | 166 ----- dev-lang/rust/files/1.63.0-CVE-2022-36113.patch | 48 -- dev-lang/rust/files/1.63.0-CVE-2022-36114.patch | 102 --- dev-lang/rust/rust-1.62.1.ebuild | 741 -------------------- dev-lang/rust/rust-1.63.0-r1.ebuild | 774 --------------------- 6 files changed, 1899 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4e0cde71804913b0c9754ce0a8ce72e6431fbe8 commit f4e0cde71804913b0c9754ce0a8ce72e6431fbe8 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-10-13 17:35:56 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-10-13 17:41:02 +0000 dev-lang/rust-bin: drop 1.62.1, 1.63.0 Bug: https://bugs.gentoo.org/870166 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-lang/rust-bin/Manifest | 68 ---------- dev-lang/rust-bin/rust-bin-1.62.1.ebuild | 221 ------------------------------ dev-lang/rust-bin/rust-bin-1.63.0.ebuild | 222 ------------------------------- 3 files changed, 511 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbb188bf659435e9aff0cd41cbdafb80bc9ec295 commit cbb188bf659435e9aff0cd41cbdafb80bc9ec295 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2022-10-13 17:35:06 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2022-10-13 17:41:01 +0000 virtual/rust: drop 1.62.1, 1.63.0 Bug: https://bugs.gentoo.org/870166 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> virtual/rust/rust-1.62.1.ebuild | 19 ------------------- virtual/rust/rust-1.63.0.ebuild | 19 ------------------- 2 files changed, 38 deletions(-) Thanks! GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=cda5f646cd9bc370223b79be59deee389a0caeef commit cda5f646cd9bc370223b79be59deee389a0caeef Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-16 14:43:11 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 14:45:25 +0000 [ GLSA 202210-09 ] Rust: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/782367 Bug: https://bugs.gentoo.org/807052 Bug: https://bugs.gentoo.org/821157 Bug: https://bugs.gentoo.org/831638 Bug: https://bugs.gentoo.org/870166 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-09.xml | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) GLSA released, all done! Why was 1.63.0-r1 dropped [on non-riscv]? Didn't that have the security fixes? 1.64 requires 1.63 to build :/ (In reply to Luke-Jr from comment #11) > Why was 1.63.0-r1 dropped [on non-riscv]? Didn't that have the security > fixes? 1.64 requires 1.63 to build :/ If it wasn't vulnerable, that would make it unrelated to this bug, wouldn't it? |