Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rust1.62 for openSUSE:Factory 
checked in at 2022-09-17 20:09:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rust1.62 (Old)
 and      /work/SRC/openSUSE:Factory/.rust1.62.new.2083 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "rust1.62"

Sat Sep 17 20:09:19 2022 rev:4 rq:1003998 version:1.62.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/rust1.62/rust1.62.changes        2022-07-29 
16:47:43.186622839 +0200
+++ /work/SRC/openSUSE:Factory/.rust1.62.new.2083/rust1.62.changes      
2022-09-17 20:09:20.436983894 +0200
@@ -1,0 +2,8 @@
+Fri Sep 16 04:56:02 UTC 2022 - William Brown <william.br...@suse.com>
+
+- bsc#1203433 - CVE-2022-36113 - resolve symlink hijack
+  * 0003-CVE-2022-36113-avoid-unpacking-.cargo-ok-from-the-cr.patch
+- bsc #1203431 - CVE-2022-36114 - resolve zip bomb attack
+  * 0002-CVE-2022-36114-limit-the-maximum-unpacked-size-of-a-.patch
+
+-------------------------------------------------------------------

New:
----
  0002-CVE-2022-36114-limit-the-maximum-unpacked-size-of-a-.patch
  0003-CVE-2022-36113-avoid-unpacking-.cargo-ok-from-the-cr.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ rust1.62.spec ++++++
--- /var/tmp/diff_new_pack.3Uzg79/_old  2022-09-17 20:09:31.933017056 +0200
+++ /var/tmp/diff_new_pack.3Uzg79/_new  2022-09-17 20:09:31.937017068 +0200
@@ -237,7 +237,11 @@
 # PATCH-FIX-OPENSUSE: let wasm target use the system lld by default, rust-lld 
might not be available.
 Patch1:         wasm-use-system-lld.patch
 %endif
-# Patch2:         0001-fix-tests.patch
+# IMPORTANT - To generate patches for submodules in git so they apply 
relatively you can use
+#  git format-patch --dst-prefix=b/src/tools/cargo/  HEAD~2
+Patch3:         0002-CVE-2022-36114-limit-the-maximum-unpacked-size-of-a-.patch
+Patch4:         0003-CVE-2022-36113-avoid-unpacking-.cargo-ok-from-the-cr.patch
+
 BuildRequires:  chrpath
 BuildRequires:  curl
 BuildRequires:  fdupes

++++++ 0002-CVE-2022-36114-limit-the-maximum-unpacked-size-of-a-.patch ++++++
>From 0c387900128caa96285486b1eda683b8a78268aa Mon Sep 17 00:00:00 2001
From: Josh Triplett <j...@joshtriplett.org>
Date: Thu, 18 Aug 2022 17:45:45 +0200
Subject: [PATCH 1/2] CVE-2022-36114: limit the maximum unpacked size of a
 crate to 512MB

This gives users of custom registries the same protections, using the
same size limit that crates.io uses.

`LimitErrorReader` code copied from crates.io.
---
 src/cargo/sources/registry/mod.rs |  6 +++++-
 src/cargo/util/io.rs              | 27 +++++++++++++++++++++++++++
 src/cargo/util/mod.rs             |  2 ++
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 src/cargo/util/io.rs

diff --git a/src/cargo/sources/registry/mod.rs 
b/src/tools/cargo/src/cargo/sources/registry/mod.rs
index fc9c29510..1df7738e3 100644
--- a/src/cargo/sources/registry/mod.rs
+++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs
@@ -182,7 +182,9 @@ use crate::util::hex;
 use crate::util::interning::InternedString;
 use crate::util::into_url::IntoUrl;
 use crate::util::network::PollExt;
-use crate::util::{restricted_names, CargoResult, Config, Filesystem, 
OptVersionReq};
+use crate::util::{
+    restricted_names, CargoResult, Config, Filesystem, LimitErrorReader, 
OptVersionReq,
+};
 
 const PACKAGE_SOURCE_LOCK: &str = ".cargo-ok";
 pub const CRATES_IO_INDEX: &str = 
"https://github.com/rust-lang/crates.io-index";;
@@ -193,6 +195,7 @@ const VERSION_TEMPLATE: &str = "{version}";
 const PREFIX_TEMPLATE: &str = "{prefix}";
 const LOWER_PREFIX_TEMPLATE: &str = "{lowerprefix}";
 const CHECKSUM_TEMPLATE: &str = "{sha256-checksum}";
+const MAX_UNPACK_SIZE: u64 = 512 * 1024 * 1024;
 
 /// A "source" for a local (see `local::LocalRegistry`) or remote (see
 /// `remote::RemoteRegistry`) registry.
@@ -617,6 +620,7 @@ impl<'cfg> RegistrySource<'cfg> {
             }
         }
         let gz = GzDecoder::new(tarball);
+        let gz = LimitErrorReader::new(gz, MAX_UNPACK_SIZE);
         let mut tar = Archive::new(gz);
         let prefix = unpack_dir.file_name().unwrap();
         let parent = unpack_dir.parent().unwrap();
diff --git a/src/cargo/util/io.rs b/src/tools/cargo/src/cargo/util/io.rs
new file mode 100644
index 000000000..f62672db0
--- /dev/null
+++ b/src/tools/cargo/src/cargo/util/io.rs
@@ -0,0 +1,27 @@
+use std::io::{self, Read, Take};
+
+#[derive(Debug)]
+pub struct LimitErrorReader<R> {
+    inner: Take<R>,
+}
+
+impl<R: Read> LimitErrorReader<R> {
+    pub fn new(r: R, limit: u64) -> LimitErrorReader<R> {
+        LimitErrorReader {
+            inner: r.take(limit),
+        }
+    }
+}
+
+impl<R: Read> Read for LimitErrorReader<R> {
+    fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
+        match self.inner.read(buf) {
+            Ok(0) if self.inner.limit() == 0 => Err(io::Error::new(
+                io::ErrorKind::Other,
+                "maximum limit reached when reading",
+            )),
+            e => e,
+        }
+    }
+}
+
diff --git a/src/cargo/util/mod.rs b/src/tools/cargo/src/cargo/util/mod.rs
index 4b8604f92..dd695fbff 100644
--- a/src/cargo/util/mod.rs
+++ b/src/tools/cargo/src/cargo/util/mod.rs
@@ -14,6 +14,7 @@ pub use self::hasher::StableHasher;
 pub use self::hex::{hash_u64, short_hash, to_hex};
 pub use self::into_url::IntoUrl;
 pub use self::into_url_with_base::IntoUrlWithBase;
+pub(crate) use self::io::LimitErrorReader;
 pub use self::lev_distance::{closest, closest_msg, lev_distance};
 pub use self::lockserver::{LockServer, LockServerClient, LockServerStarted};
 pub use self::progress::{Progress, ProgressStyle};
@@ -44,6 +45,7 @@ pub mod important_paths;
 pub mod interning;
 pub mod into_url;
 mod into_url_with_base;
+mod io;
 pub mod job;
 pub mod lev_distance;
 mod lockserver;
-- 
2.37.3


++++++ 0003-CVE-2022-36113-avoid-unpacking-.cargo-ok-from-the-cr.patch ++++++
>From 47bb45ecffb6ad1d85abef64d7d9f6c51ecd0dc5 Mon Sep 17 00:00:00 2001
From: Josh Triplett <j...@joshtriplett.org>
Date: Thu, 18 Aug 2022 17:17:19 +0200
Subject: [PATCH 2/2] CVE-2022-36113: avoid unpacking .cargo-ok from the crate

---
 src/cargo/sources/registry/mod.rs | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/cargo/sources/registry/mod.rs 
b/src/tools/cargo/src/cargo/sources/registry/mod.rs
index 1df7738e3..03675d16f 100644
--- a/src/cargo/sources/registry/mod.rs
+++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs
@@ -645,6 +645,13 @@ impl<'cfg> RegistrySource<'cfg> {
                     prefix
                 )
             }
+            // Prevent unpacking the lockfile from the crate itself.
+            if entry_path
+                .file_name()
+                .map_or(false, |p| p == PACKAGE_SOURCE_LOCK)
+            {
+                continue;
+            }
             // Unpacking failed
             let mut result = 
entry.unpack_in(parent).map_err(anyhow::Error::from);
             if cfg!(windows) && 
restricted_names::is_windows_reserved_path(&entry_path) {
@@ -660,16 +667,14 @@ impl<'cfg> RegistrySource<'cfg> {
                 .with_context(|| format!("failed to unpack entry at `{}`", 
entry_path.display()))?;
         }
 
-        // The lock file is created after unpacking so we overwrite a lock file
-        // which may have been extracted from the package.
+        // Now that we've finished unpacking, create and write to the lock 
file to indicate that
+        // unpacking was successful.
         let mut ok = OpenOptions::new()
-            .create(true)
+            .create_new(true)
             .read(true)
             .write(true)
             .open(&path)
             .with_context(|| format!("failed to open `{}`", path.display()))?;
-
-        // Write to the lock file to indicate that unpacking was successful.
         write!(ok, "ok")?;
 
         Ok(unpack_dir.to_path_buf())
-- 
2.37.3

Reply via email to