Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2023-38497 for master #12443

Merged
merged 3 commits into from
Aug 3, 2023
Merged

Fix CVE-2023-38497 for master #12443

merged 3 commits into from
Aug 3, 2023

Conversation

pietroalbini
Copy link
Member

@pietroalbini pietroalbini commented Aug 3, 2023
edited
Loading

Changes have been made by @weihanglo and reviewed by @ehuss in a private repository.

@rustbot
Copy link
Collaborator

rustbot commented Aug 3, 2023

r? @ehuss

(rustbot has picked a reviewer for you, use r? to override)

@rustbot rustbot added A-registries Area: registries S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Aug 3, 2023
@weihanglo
test: verify permissions bits are preserved when unpacking
789a2fb 
This is not secure and will be fixed in the next commit.
@weihanglo
fix: respect umask when unpacking .crate files
4fafa69 
Without this, an attacker can leverage globally writable files buried
in the `.crate` file. After a user downloaded and unpacked the file,
the attacker can then write malicous code to the downloaded sources.
@weihanglo
fix: clear cache for old .cargo-ok format
c60c065 
In 1.71, `.cargo-ok` changed to contain a JSON `{ v: 1 }` to indicate
the version of it. A failure of parsing will result in a heavy-hammer
approach that unpacks the `.crate` file again. This is in response to a
security issue that the unpacking didn't respect umask on Unix systems.
@weihanglo
Copy link
Member

@bors r+

@bors
Copy link
Collaborator

bors commented Aug 3, 2023

📌 Commit c60c065 has been approved by weihanglo

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Aug 3, 2023
@bors
Copy link
Collaborator

bors commented Aug 3, 2023

⌛ Testing commit c60c065 with merge d78bbf4...

@bors
Copy link
Collaborator

bors commented Aug 3, 2023

☀️ Test successful - checks-actions
Approved by: weihanglo
Pushing d78bbf4 to master...

@bors bors merged commit d78bbf4 into rust-lang:master Aug 3, 2023
18 checks passed
@weihanglo weihanglo mentioned this pull request Aug 3, 2023
Merged
bors added a commit to rust-lang-ci/rust that referenced this pull request Aug 3, 2023
@bors
Auto merge of rust-lang#114420 - weihanglo:update-cargo, r=weihanglo
defed62 
Update cargo (CVE-2023-38497 fix included)

2 commits in 020651c52257052d28f6fd83fbecf5cfa1ed516c..d78bbf4bde3c6b95caca7512f537c6f9721426ff
2023-08-02 16:00:37 +0000 to 2023-08-03 12:58:25 +0000
- Fix CVE-2023-38497 for master (rust-lang/cargo#12443)
- Don't attempt to read a token from stdin if a cmdline token is provided (rust-lang/cargo#12440)

r? `@ghost`
@ehuss ehuss added this to the 1.73.0 milestone Aug 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weihanglo weihanglo weihanglo approved these changes

Assignees

@ehuss ehuss

Labels
A-registries Area: registries S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Milestone
1.73.0
Development

Successfully merging this pull request may close these issues.
5 participants
@pietroalbini @rustbot @weihanglo @bors @ehuss