Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2023-38497 for beta 1.72.0 #12442

Merged
merged 4 commits into from
Aug 3, 2023
Merged

Fix CVE-2023-38497 for beta 1.72.0 #12442

merged 4 commits into from
Aug 3, 2023

Conversation

pietroalbini
Copy link
Member

Changes have been made by @weihanglo and reviewed by @ehuss in a private repository.

@weihanglo
test: verify permissions bits are preserved when unpacking
d8c62e6 
This is not secure and will be fixed in the next commit.
@rustbot
Copy link
Collaborator

rustbot commented Aug 3, 2023

r? @weihanglo

(rustbot has picked a reviewer for you, use r? to override)

@rustbot
Copy link
Collaborator

rustbot commented Aug 3, 2023

⚠️ Warning ⚠️

  • Pull requests are usually filed against the master branch for this repo, but this one is against rust-1.72.0. Please double check that you specified the right target!

@rustbot rustbot added A-registries Area: registries S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Aug 3, 2023
@weihanglo
Copy link
Member

@bors r+

@bors
Copy link
Collaborator

bors commented Aug 3, 2023

📌 Commit e70fae6 has been approved by weihanglo

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Aug 3, 2023
@bors
Copy link
Collaborator

bors commented Aug 3, 2023

⌛ Testing commit e70fae6 with merge 3fcab95...

bors added a commit that referenced this pull request Aug 3, 2023
@bors
Auto merge of #12442 - pietroalbini:pa-cve-2023-38497-beta, r=weihanglo
3fcab95 
Fix CVE-2023-38497 for beta 1.72.0

Changes have been made by `@weihanglo` and reviewed by `@ehuss` in a private repository.
@bors
Copy link
Collaborator

bors commented Aug 3, 2023

💔 Test failed - checks-actions

@bors bors added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. and removed S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. labels Aug 3, 2023
@weihanglo
fix: respect umask when unpacking .crate files
a40a0aa 
Without this, an attacker can leverage globally writable files buried
in the `.crate` file. After a user downloaded and unpacked the file,
the attacker can then write malicous code to the downloaded sources.
@weihanglo
fix: clear cache for old .cargo-ok format
b05657d 
In 1.71, `.cargo-ok` changed to contain a JSON `{ v: 1 }` to indicate
the version of it. A failure of parsing will result in a heavy-hammer
approach that unpacks the `.crate` file again. This is in response to a
security issue that the unpacking didn't respect umask on Unix systems.
@weihanglo
test: relax assertions of panic handler message format
6aa9859
@weihanglo
Copy link
Member

@bors r+

@bors
Copy link
Collaborator

bors commented Aug 3, 2023

📌 Commit 6aa9859 has been approved by weihanglo

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Aug 3, 2023
@bors
Copy link
Collaborator

bors commented Aug 3, 2023

⌛ Testing commit 6aa9859 with merge 44b6be4...

@bors
Copy link
Collaborator

bors commented Aug 3, 2023

☀️ Test successful - checks-actions
Approved by: weihanglo
Pushing 44b6be4 to rust-1.72.0...

@bors bors merged commit 44b6be4 into rust-lang:rust-1.72.0 Aug 3, 2023
20 checks passed
@weihanglo weihanglo mentioned this pull request Aug 3, 2023
Merged
bors added a commit to rust-lang-ci/rust that referenced this pull request Aug 3, 2023
@bors
Auto merge of rust-lang#114422 - weihanglo:update-beta-cargo, r=weiha…
d8fd588 
…nglo

[beta-1.72] Update cargo (CVE-2023-38497 fix included)

1 commits in 11ffe0e500346b26e3de1ba115482b4da586dfac..44b6be4bdf2cd7d3f4d4cb266bfe428dfc2a7952
2023-07-30 20:44:11 +0000 to 2023-08-03 13:43:58 +0000
- Fix CVE-2023-38497 for beta 1.72.0 (rust-lang/cargo#12442)

r? `@ghost`
@ehuss ehuss added this to the 1.72.0 milestone Aug 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weihanglo weihanglo weihanglo approved these changes

Assignees

@weihanglo weihanglo

Labels
A-registries Area: registries S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Milestone
1.72.0
Development

Successfully merging this pull request may close these issues.
5 participants
@pietroalbini @rustbot @weihanglo @bors @ehuss