Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 662904 (CVE-2018-1000622) - <dev-lang/rust{,-bin}-1.27.1: rustdoc loads plugins from world writable directory allowing for arbitrary code execution (CVE-2018-1000622)
Summary: <dev-lang/rust{,-bin}-1.27.1: rustdoc loads plugins from world writable direc...
Status: RESOLVED FIXED
Alias: CVE-2018-1000622
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://groups.google.com/forum/#!top...
Whiteboard: B2 [glsa+ cve]
Keywords:
: 662906 662908 (view as bug list)
Depends on: 663690
Blocks:
  Show dependency tree
 
Reported: 2018-08-05 23:44 UTC by Thomas Deutschmann (RETIRED)
Modified: 2018-12-30 21:20 UTC (History)
3 users (show)

See Also:
Package list:
=dev-lang/rust-1.28.0-r1 =dev-lang/rust-bin-1.28.0-r1 =dev-util/cargo-0.29.0 =virtual/rust-1.28.0 =virtual/cargo-1.28.0
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-05 23:44:02 UTC 
The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a different user. This attack appear to be exploitable via using the --plugin flag without the --plugin-path flag. This vulnerability appears to have been fixed in 1.27.1.
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2018-08-06 07:43:20 UTC 
Why do we have three bugs for this? It seems like handling it all in one bug would work just fine -- especially since these packages are closely related.
Comment 2 Dirkjan Ochtman (RETIRED) gentoo-dev 2018-08-06 07:48:47 UTC 
FWIW, I propose that we just stabilize 1.28.0 (though there should probably be an -r1 for rust-bin given bug 662842). Everything between >= 1.26.0 and < 1.27.2 contains match ergonomics unsoundness (see https://blog.rust-lang.org/2018/07/20/Rust-1.27.2.html), and IIRC Firefox was going to upgrade straight from 1.24.0 to 1.28.0.
Comment 3 Dirkjan Ochtman (RETIRED) gentoo-dev 2018-08-08 13:38:38 UTC 
Since there haven't been any dissenters, propose to stabilize 1.28.0-r1.
Comment 4 Dirkjan Ochtman (RETIRED) gentoo-dev 2018-08-08 14:47:51 UTC 
As pointed out by leio, I included arm64 here even though it has not been stable before. Since arm64 for rust-bin has only just been added, let's keep it out for now and reconsider later on.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-15 17:14:54 UTC 
x86 stopped stabilization due to bug 663690.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-15 17:15:39 UTC 
*** Bug 662906 has been marked as a duplicate of this bug. ***
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-15 17:16:00 UTC 
*** Bug 662908 has been marked as a duplicate of this bug. ***
Comment 8 Dirkjan Ochtman (RETIRED) gentoo-dev 2018-09-05 09:42:47 UTC 
Bug 663690 is definitely specific to x86, so amd64, please stabilize?
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-09-09 08:00:16 UTC 
amd64 stable
Comment 10 Alexander Tsoy 2018-09-09 15:18:31 UTC 
(In reply to Mikle Kolyada from comment #9)
> amd64 stable
You have missed =virtual/cargo-1.28.0
Comment 11 Alexander Tsoy 2018-09-09 15:19:47 UTC 
(In reply to Alexander Tsoy from comment #10)
> (In reply to Mikle Kolyada from comment #9)
> > amd64 stable
> You have missed =virtual/cargo-1.28.0
Sorry, I meant virtual/rust
Comment 12 Dirkjan Ochtman (RETIRED) gentoo-dev 2018-09-25 12:56:49 UTC 
So the blocking bug for x86 has been solved, but that will require stabilizing binutils(-libs)-2.30-r4. Since we have bug 666976 incoming, let's just wait for that and stabilize 1.29.1 in one go.
Comment 13 Larry the Git Cow gentoo-dev 2018-10-05 13:11:15 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3aba8ca44bf9f3cdb6f44202206ed9fac08d6b9

commit d3aba8ca44bf9f3cdb6f44202206ed9fac08d6b9
Author:     Dirkjan Ochtman <djc@gentoo.org>
AuthorDate: 2018-10-05 13:09:59 +0000
Commit:     Dirkjan Ochtman <djc@gentoo.org>
CommitDate: 2018-10-05 13:10:59 +0000

    dev-lang/rust-bin: remove old, vulnerable versions of rust
    
    Bug: https://bugs.gentoo.org/666976
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=662904
    Signed-off-by: Dirkjan Ochtman <djc@gentoo.org>
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 dev-lang/rust-bin/Manifest                  |  11 --
 dev-lang/rust-bin/rust-bin-1.25.0.ebuild    | 122 ---------------------
 dev-lang/rust-bin/rust-bin-1.28.0-r1.ebuild | 163 ----------------------------
 3 files changed, 296 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5bbd64bd5a9b84a1a33a9bbcf7b725d26d947a50

commit 5bbd64bd5a9b84a1a33a9bbcf7b725d26d947a50
Author:     Dirkjan Ochtman <djc@gentoo.org>
AuthorDate: 2018-10-05 13:08:58 +0000
Commit:     Dirkjan Ochtman <djc@gentoo.org>
CommitDate: 2018-10-05 13:10:58 +0000

    dev-lang/rust: remove old, vulnerable versions of rust
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=666976
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=662904
    Signed-off-by: Dirkjan Ochtman <djc@gentoo.org>
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 dev-lang/rust/Manifest              |   8 --
 dev-lang/rust/metadata.xml          |   2 -
 dev-lang/rust/rust-1.25.0.ebuild    | 172 ----------------------
 dev-lang/rust/rust-1.28.0-r1.ebuild | 276 ------------------------------------
 dev-lang/rust/rust-1.28.0.ebuild    | 268 ----------------------------------
 5 files changed, 726 deletions(-)
Comment 14 Dirkjan Ochtman (RETIRED) gentoo-dev 2018-10-05 13:12:07 UTC 
Vulnerable versions removed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2018-12-30 21:20:19 UTC 
This issue was resolved and addressed in
 GLSA 201812-11 at https://security.gentoo.org/glsa/201812-11
by GLSA coordinator Thomas Deutschmann (whissi).