!136 Fix CVE-2022-36113, CVE-2022-36114

From: @starlet-dx Reviewed-by: @wk333 Signed-off-by: @wk333
2024-06-27 08:27:55 +00:00 · 2024-06-27 08:27:55 +00:00 · a3f446395c
commit a3f446395c
parent a90b101472 93ef97409d
3 changed files with 169 additions and 1 deletions
--- a/CVE-2022-36113.patch
+++ b/CVE-2022-36113.patch
@ -0,0 +1,54 @@
+Refer: 
+https://github.com/rust-lang/cargo/commit/15f1e4b0bf4b4fc20369e0a85d9b77957c4dd52a
+https://build.opensuse.org/package/show/SUSE:SLE-15-SP3:Update/rust1.62
+
+From 15f1e4b0bf4b4fc20369e0a85d9b77957c4dd52a Mon Sep 17 00:00:00 2001
+From: Josh Triplett <josh@joshtriplett.org>
+Date: Thu, 18 Aug 2022 17:17:19 +0200
+Subject: [PATCH] CVE-2022-36113: avoid unpacking .cargo-ok from the crate
+
+---
+ src/tools/cargo/src/cargo/sources/registry/mod.rs | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs
+index 3142e71..5357e9c 100644
+--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs
+++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs
+@@ -607,6 +607,13 @@ impl<'cfg> RegistrySource<'cfg> {
+                     prefix
+                 )
+             }
+            // Prevent unpacking the lockfile from the crate itself.
+            if entry_path
+                .file_name()
+                .map_or(false, |p| p == PACKAGE_SOURCE_LOCK)
+            {
+                continue;
+            }
+             // Unpacking failed
+             let mut result = entry.unpack_in(parent).map_err(anyhow::Error::from);
+             if cfg!(windows) && restricted_names::is_windows_reserved_path(&entry_path) {
+@@ -621,16 +628,15 @@ impl<'cfg> RegistrySource<'cfg> {
+             result.chain_err(|| format!("failed to unpack entry at `{}`", entry_path.display()))?;
+         }
+ 
+-        // The lock file is created after unpacking so we overwrite a lock file
+-        // which may have been extracted from the package.
+        // Now that we've finished unpacking, create and write to the lock file to indicate that
+        // unpacking was successful.
+         let mut ok = OpenOptions::new()
+-            .create(true)
+            .create_new(true)
+             .read(true)
+             .write(true)
+             .open(&path)
+             .chain_err(|| format!("failed to open `{}`", path.display()))?;
+ 
+-        // Write to the lock file to indicate that unpacking was successful.
+         write!(ok, "ok")?;
+ 
+         Ok(unpack_dir.to_path_buf())
+-- 
+2.27.0
+
--- a/CVE-2022-36114.patch
+++ b/CVE-2022-36114.patch
@ -0,0 +1,107 @@
+Refer: 
+https://github.com/rust-lang/cargo/commit/2b68d3c07a4a056264dc006ecb9f1354a0679cd3
+https://build.opensuse.org/package/show/SUSE:SLE-15-SP3:Update/rust1.62
+
+From 2b68d3c07a4a056264dc006ecb9f1354a0679cd3 Mon Sep 17 00:00:00 2001
+From: Josh Triplett <josh@joshtriplett.org>
+Date: Thu, 18 Aug 2022 17:45:45 +0200
+Subject: [PATCH] CVE-2022-36114: limit the maximum unpacked size of a crate to
+ 512MB
+
+This gives users of custom registries the same protections, using the
+same size limit that crates.io uses.
+
+`LimitErrorReader` code copied from crates.io.
+
+---
+ .../cargo/src/cargo/sources/registry/mod.rs   |  4 ++-
+ src/tools/cargo/src/cargo/util/io.rs          | 27 +++++++++++++++++++
+ src/tools/cargo/src/cargo/util/mod.rs         |  2 ++
+ 3 files changed, 32 insertions(+), 1 deletion(-)
+ create mode 100644 src/tools/cargo/src/cargo/util/io.rs
+
+diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs
+index 5357e9c..e2028d5 100644
+--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs
+++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs
+@@ -179,7 +179,7 @@ use crate::util::errors::CargoResultExt;
+ use crate::util::hex;
+ use crate::util::interning::InternedString;
+ use crate::util::into_url::IntoUrl;
+-use crate::util::{restricted_names, CargoResult, Config, Filesystem};
+use crate::util::{restricted_names, CargoResult, Config, Filesystem, LimitErrorReader};
+ 
+ const PACKAGE_SOURCE_LOCK: &str = ".cargo-ok";
+ pub const CRATES_IO_INDEX: &str = "https://github.com/rust-lang/crates.io-index";
+@@ -188,6 +188,7 @@ const CRATE_TEMPLATE: &str = "{crate}";
+ const VERSION_TEMPLATE: &str = "{version}";
+ const PREFIX_TEMPLATE: &str = "{prefix}";
+ const LOWER_PREFIX_TEMPLATE: &str = "{lowerprefix}";
+const MAX_UNPACK_SIZE: u64 = 512 * 1024 * 1024;
+ 
+ /// A "source" for a [local](local::LocalRegistry) or
+ /// [remote](remote::RemoteRegistry) registry.
+@@ -583,6 +584,7 @@ impl<'cfg> RegistrySource<'cfg> {
+             }
+         }
+         let gz = GzDecoder::new(tarball);
+        let gz = LimitErrorReader::new(gz, MAX_UNPACK_SIZE);
+         let mut tar = Archive::new(gz);
+         let prefix = unpack_dir.file_name().unwrap();
+         let parent = unpack_dir.parent().unwrap();
+diff --git a/src/tools/cargo/src/cargo/util/io.rs b/src/tools/cargo/src/cargo/util/io.rs
+new file mode 100644
+index 0000000..f62672d
+--- /dev/null
+++ b/src/tools/cargo/src/cargo/util/io.rs
+@@ -0,0 +1,27 @@
+use std::io::{self, Read, Take};
+
+#[derive(Debug)]
+pub struct LimitErrorReader<R> {
+    inner: Take<R>,
+}
+
+impl<R: Read> LimitErrorReader<R> {
+    pub fn new(r: R, limit: u64) -> LimitErrorReader<R> {
+        LimitErrorReader {
+            inner: r.take(limit),
+        }
+    }
+}
+
+impl<R: Read> Read for LimitErrorReader<R> {
+    fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
+        match self.inner.read(buf) {
+            Ok(0) if self.inner.limit() == 0 => Err(io::Error::new(
+                io::ErrorKind::Other,
+                "maximum limit reached when reading",
+            )),
+            e => e,
+        }
+    }
+}
+
+diff --git a/src/tools/cargo/src/cargo/util/mod.rs b/src/tools/cargo/src/cargo/util/mod.rs
+index f0408d2..9e5f83e 100644
+--- a/src/tools/cargo/src/cargo/util/mod.rs
+++ b/src/tools/cargo/src/cargo/util/mod.rs
+@@ -13,6 +13,7 @@ pub use self::hasher::StableHasher;
+ pub use self::hex::{hash_u64, short_hash, to_hex};
+ pub use self::into_url::IntoUrl;
+ pub use self::into_url_with_base::IntoUrlWithBase;
+pub(crate) use self::io::LimitErrorReader;
+ pub use self::lev_distance::{closest, closest_msg, lev_distance};
+ pub use self::lockserver::{LockServer, LockServerClient, LockServerStarted};
+ pub use self::paths::{bytes2path, dylib_path, join_paths, path2bytes};
+@@ -46,6 +47,7 @@ pub mod important_paths;
+ pub mod interning;
+ pub mod into_url;
+ mod into_url_with_base;
+mod io;
+ pub mod job;
+ pub mod lev_distance;
+ mod lockserver;
+-- 
+2.27.0
+
--- a/rust.spec
+++ b/rust.spec
@ -12,7 +12,7 @@
 %bcond_without lldb
 Name:                rust
 Version:             1.51.0
-Release:             7
+Release:             8
 Summary:             The Rust Programming Language
 License:             (ASL 2.0 or MIT) and (BSD and MIT)
 URL:                 https://www.rust-lang.org
@ -41,6 +41,8 @@ Patch0012:           fix-a-println-wrong-format.patch
 Patch0013:           CVE-2021-29922.patch
 Patch0014:           fix-rustdoc-error-info.patch
 Patch0015:           CVE-2024-24577.patch
+Patch3000:           CVE-2022-36113.patch
+Patch3001:           CVE-2022-36114.patch
 %{lua: function rust_triple(arch)
  local abi = "gnu"
  if arch == "armv7hl" then
@ -266,6 +268,8 @@ mkdir -p src/llvm-project/libunwind/
 %patch0013 -p1
 %patch0014 -p1
 %patch0015 -p1
+%patch3000 -p1
+%patch3001 -p1
 rm -rf vendor/curl-sys/curl/
 rm -rf vendor/jemalloc-sys/jemalloc/
 rm -rf vendor/libssh2-sys/libssh2/
@ -471,6 +475,9 @@ export %{rust_env}
 %{_mandir}/man1/cargo*.1*

 %changelog
+* Thu Jun 27 2024 wangkai <13474090681@163.com> - 1.51.0-8
+- Fix CVE-2022-36113,  CVE-2022-36114
+
 * Fri Mar 15 2024 huangwenhua <huangwenhua@kylinos.cn> - 1.51.0-7
 - Fix spec wrong changlog date format