Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2023-38497 for master #12443

Merged
merged 3 commits into from
Aug 3, 2023

Conversation

pietroalbini
Copy link
Member

@pietroalbini pietroalbini commented Aug 3, 2023

Changes have been made by @weihanglo and reviewed by @ehuss in a private repository.

@rustbot
Copy link
Collaborator

rustbot commented Aug 3, 2023

r? @ehuss

(rustbot has picked a reviewer for you, use r? to override)

@rustbot rustbot added A-registries Area: registries S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Aug 3, 2023

Verified

This commit was signed with the committer’s verified signature. The key has expired.
weihanglo Weihang Lo
This is not secure and will be fixed in the next commit.

Verified

This commit was signed with the committer’s verified signature. The key has expired.
weihanglo Weihang Lo
Without this, an attacker can leverage globally writable files buried
in the `.crate` file. After a user downloaded and unpacked the file,
the attacker can then write malicous code to the downloaded sources.

Verified

This commit was signed with the committer’s verified signature. The key has expired.
weihanglo Weihang Lo
In 1.71, `.cargo-ok` changed to contain a JSON `{ v: 1 }` to indicate
the version of it. A failure of parsing will result in a heavy-hammer
approach that unpacks the `.crate` file again. This is in response to a
security issue that the unpacking didn't respect umask on Unix systems.
@weihanglo weihanglo force-pushed the pa-cve-2023-38497-nightly branch from ffddd6d to c60c065 Compare August 3, 2023 12:43
@weihanglo
Copy link
Member

@bors r+

@bors
Copy link
Contributor

bors commented Aug 3, 2023

📌 Commit c60c065 has been approved by weihanglo

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Aug 3, 2023
@bors
Copy link
Contributor

bors commented Aug 3, 2023

⌛ Testing commit c60c065 with merge d78bbf4...

@bors
Copy link
Contributor

bors commented Aug 3, 2023

☀️ Test successful - checks-actions
Approved by: weihanglo
Pushing d78bbf4 to master...

@bors bors merged commit d78bbf4 into rust-lang:master Aug 3, 2023
bors added a commit to rust-lang-ci/rust that referenced this pull request Aug 3, 2023
Update cargo (CVE-2023-38497 fix included)

2 commits in 020651c52257052d28f6fd83fbecf5cfa1ed516c..d78bbf4bde3c6b95caca7512f537c6f9721426ff
2023-08-02 16:00:37 +0000 to 2023-08-03 12:58:25 +0000
- Fix CVE-2023-38497 for master (rust-lang/cargo#12443)
- Don't attempt to read a token from stdin if a cmdline token is provided (rust-lang/cargo#12440)

r? `@ghost`
@ehuss ehuss added this to the 1.73.0 milestone Aug 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-registries Area: registries S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants