Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 831638 (CVE-2022-21658) - <dev-lang/rust{-bin,}-1.58.1: race condition enabling symlink following
Summary: <dev-lang/rust{-bin,}-1.58.1: race condition enabling symlink following
Status: RESOLVED FIXED
Alias: CVE-2022-21658
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://blog.rust-lang.org/2022/01/20...
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 824066 831642
Blocks:
  Show dependency tree
 
Reported: 2022-01-20 21:42 UTC by Randy Barlow
Modified: 2022-10-16 15:04 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Randy Barlow 2022-01-20 21:42:22 UTC
Please add Rust 1.58.1 for CVE-2022-21658. For more information, see:

https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html

Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2022-01-20 22:03:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41dff17ac8c7bb389805ac237ef084fe6780da06

commit 41dff17ac8c7bb389805ac237ef084fe6780da06
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2022-01-20 22:02:08 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2022-01-20 22:02:18 +0000

    virtual/rust: add 1.58.1
    
    Bug: https://bugs.gentoo.org/831638
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 virtual/rust/rust-1.58.1.ebuild | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2e6d0b803a47654dd15ff1a79fc8d26982472fc

commit a2e6d0b803a47654dd15ff1a79fc8d26982472fc
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2022-01-20 22:01:51 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2022-01-20 22:02:17 +0000

    dev-lang/rust-bin: add 1.58.1
    
    Bug: https://bugs.gentoo.org/831638
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust-bin/Manifest               |  33 +++++
 dev-lang/rust-bin/rust-bin-1.58.1.ebuild | 214 +++++++++++++++++++++++++++++++
 2 files changed, 247 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c03f0410ab91dd47fed65113350654e15b2811b6

commit c03f0410ab91dd47fed65113350654e15b2811b6
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2022-01-20 21:59:06 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2022-01-20 22:02:17 +0000

    dev-lang/rust: add 1.58.1
    
    Bug: https://bugs.gentoo.org/831638
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust/Manifest           |   2 +
 dev-lang/rust/metadata.xml       |   1 +
 dev-lang/rust/rust-1.58.1.ebuild | 704 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 707 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-21 01:24:38 UTC
CVE-2022-21658:

The Rust Security Response WG was notified that the std::fs::remove_dir_all standard library function is vulnerable to a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-22 00:51:00 UTC
Please cleanup when ready, thanks!
Comment 4 Larry the Git Cow gentoo-dev 2022-01-22 01:23:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e3b84dd5e01c54a20d60954fc29ccff9abe0871

commit 2e3b84dd5e01c54a20d60954fc29ccff9abe0871
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2022-01-22 01:21:48 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2022-01-22 01:22:32 +0000

    profiles: mask vulnerable rust versions (and seamonkey)
    
    Bug: https://bugs.gentoo.org/831638
    Bug: https://bugs.gentoo.org/821157
    Bug: https://bugs.gentoo.org/824066
    
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 profiles/package.mask | 12 ++++++++++++
 1 file changed, 12 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2022-01-29 05:53:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c373dd540306f0f2e4846f204bcd1a9a58b2d78

commit 7c373dd540306f0f2e4846f204bcd1a9a58b2d78
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-29 05:51:28 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-29 05:53:08 +0000

    profiles: drop seamonkey mask now it's been bumped
    
    Bug: https://bugs.gentoo.org/831638
    Bug: https://bugs.gentoo.org/821157
    Bug: https://bugs.gentoo.org/824066
    Bug: https://bugs.gentoo.org/831977
    Bug: https://bugs.gentoo.org/828479
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Larry the Git Cow gentoo-dev 2022-01-29 17:07:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86f377d22c2cc041d32b53f444f6c32aebd909a4

commit 86f377d22c2cc041d32b53f444f6c32aebd909a4
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2022-01-29 17:04:25 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2022-01-29 17:06:53 +0000

    dev-lang/rust: drop versions
    
    leaving mask in place for another couple of week to encourage updating
    
    Bug: https://bugs.gentoo.org/821157
    Bug: https://bugs.gentoo.org/831638
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust/Manifest                             | 172 -----
 ....0-ignore-broken-and-non-applicable-tests.patch |  75 ---
 dev-lang/rust/files/1.53.0-miri-vergen.patch       |  53 --
 dev-lang/rust/files/1.53.0-rustversion-1.0.5.patch | 234 -------
 dev-lang/rust/files/1.54.0-parallel-miri.patch     |  43 --
 dev-lang/rust/files/1.57.0-selfbootstrap.patch     |  56 --
 dev-lang/rust/rust-1.53.0.ebuild                   | 684 --------------------
 dev-lang/rust/rust-1.54.0.ebuild                   | 684 --------------------
 dev-lang/rust/rust-1.55.0.ebuild                   | 683 --------------------
 dev-lang/rust/rust-1.56.1.ebuild                   | 686 --------------------
 dev-lang/rust/rust-1.57.0.ebuild                   | 687 --------------------
 dev-lang/rust/rust-1.58.0.ebuild                   | 699 ---------------------
 12 files changed, 4756 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ace2f2b764c11136772b099d485a0a868c7dc1f1

commit ace2f2b764c11136772b099d485a0a868c7dc1f1
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2022-01-29 17:02:58 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2022-01-29 17:06:22 +0000

    dev-lang/rust-bin: drop versions
    
    Bug: https://bugs.gentoo.org/821157
    Bug: https://bugs.gentoo.org/831638
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust-bin/Manifest               | 195 ----------------------------
 dev-lang/rust-bin/rust-bin-1.53.0.ebuild | 192 ---------------------------
 dev-lang/rust-bin/rust-bin-1.54.0.ebuild | 192 ---------------------------
 dev-lang/rust-bin/rust-bin-1.55.0.ebuild | 192 ---------------------------
 dev-lang/rust-bin/rust-bin-1.56.1.ebuild | 214 -------------------------------
 dev-lang/rust-bin/rust-bin-1.57.0.ebuild | 214 -------------------------------
 dev-lang/rust-bin/rust-bin-1.58.0.ebuild | 214 -------------------------------
 7 files changed, 1413 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=074e38995738dc175b7150d76709d369e0a55ef7

commit 074e38995738dc175b7150d76709d369e0a55ef7
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2022-01-29 17:02:41 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2022-01-29 17:06:17 +0000

    virtual/rust: drop versions
    
    Bug: https://bugs.gentoo.org/821157
    Bug: https://bugs.gentoo.org/831638
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 virtual/rust/rust-1.53.0-r1.ebuild | 19 -------------------
 virtual/rust/rust-1.54.0.ebuild    | 19 -------------------
 virtual/rust/rust-1.55.0.ebuild    | 19 -------------------
 virtual/rust/rust-1.56.1.ebuild    | 19 -------------------
 virtual/rust/rust-1.57.0.ebuild    | 19 -------------------
 virtual/rust/rust-1.58.0.ebuild    | 19 -------------------
 6 files changed, 114 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e51e1255a559bb11b72416a98c4a6422f5d2871

commit 7e51e1255a559bb11b72416a98c4a6422f5d2871
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2022-01-29 17:01:28 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2022-01-29 17:05:47 +0000

    sys-devel/rust-std: drop 1.53.0, 1.54.0, 1.55.0, 1.56.1, 1.58.0
    
    Bug: https://bugs.gentoo.org/821157
    Bug: https://bugs.gentoo.org/831638
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 sys-devel/rust-std/Manifest               |   5 -
 sys-devel/rust-std/rust-std-1.53.0.ebuild | 154 -----------------------------
 sys-devel/rust-std/rust-std-1.54.0.ebuild | 154 -----------------------------
 sys-devel/rust-std/rust-std-1.55.0.ebuild | 154 -----------------------------
 sys-devel/rust-std/rust-std-1.56.1.ebuild | 154 -----------------------------
 sys-devel/rust-std/rust-std-1.58.0.ebuild | 155 ------------------------------
 6 files changed, 776 deletions(-)
Comment 7 Larry the Git Cow gentoo-dev 2022-02-19 13:45:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef741792c06ad55d37e1477ad74f3d8fc3fcd64f

commit ef741792c06ad55d37e1477ad74f3d8fc3fcd64f
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2022-02-19 13:40:28 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2022-02-19 13:44:49 +0000

    www-client/seamonkey: drop 2.53.9.1-r1
    
    Bug: https://bugs.gentoo.org/831638
    Bug: https://bugs.gentoo.org/821157
    Bug: https://bugs.gentoo.org/824066
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 profiles/package.mask                             |  12 -
 www-client/seamonkey/Manifest                     |   4 -
 www-client/seamonkey/seamonkey-2.53.9.1-r1.ebuild | 557 ----------------------
 3 files changed, 573 deletions(-)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 03:20:57 UTC
GLSA request filed
Comment 9 Larry the Git Cow gentoo-dev 2022-10-16 14:46:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=cda5f646cd9bc370223b79be59deee389a0caeef

commit cda5f646cd9bc370223b79be59deee389a0caeef
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-16 14:43:11 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-16 14:45:25 +0000

    [ GLSA 202210-09 ] Rust: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/782367
    Bug: https://bugs.gentoo.org/807052
    Bug: https://bugs.gentoo.org/821157
    Bug: https://bugs.gentoo.org/831638
    Bug: https://bugs.gentoo.org/870166
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-09.xml | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-16 15:04:34 UTC
GLSA released, all done!