packages/rust
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
rust/CVE-2022-36113.patch
wk333 93ef97409d Fix CVE-2022-36113, CVE-2022-36114
2024-06-27 16:27:22 +08:00

55 lines
2.2 KiB
Diff
Raw Permalink Blame History

Refer:
https://github.com/rust-lang/cargo/commit/15f1e4b0bf4b4fc20369e0a85d9b77957c4dd52a
https://build.opensuse.org/package/show/SUSE:SLE-15-SP3:Update/rust1.62
From 15f1e4b0bf4b4fc20369e0a85d9b77957c4dd52a Mon Sep 17 00:00:00 2001
From: Josh Triplett <josh@joshtriplett.org>
Date: Thu, 18 Aug 2022 17:17:19 +0200
Subject: [PATCH] CVE-2022-36113: avoid unpacking .cargo-ok from the crate
---
src/tools/cargo/src/cargo/sources/registry/mod.rs | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs
index 3142e71..5357e9c 100644
--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs
+++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs
@@ -607,6 +607,13 @@ impl<'cfg> RegistrySource<'cfg> {
prefix
)
}
+ // Prevent unpacking the lockfile from the crate itself.
+ if entry_path
+ .file_name()
+ .map_or(false, |p| p == PACKAGE_SOURCE_LOCK)
+ {
+ continue;
+ }
// Unpacking failed
let mut result = entry.unpack_in(parent).map_err(anyhow::Error::from);
if cfg!(windows) && restricted_names::is_windows_reserved_path(&entry_path) {
@@ -621,16 +628,15 @@ impl<'cfg> RegistrySource<'cfg> {
result.chain_err(|| format!("failed to unpack entry at `{}`", entry_path.display()))?;
}
- // The lock file is created after unpacking so we overwrite a lock file
- // which may have been extracted from the package.
+ // Now that we've finished unpacking, create and write to the lock file to indicate that
+ // unpacking was successful.
let mut ok = OpenOptions::new()
- .create(true)
+ .create_new(true)
.read(true)
.write(true)
.open(&path)
.chain_err(|| format!("failed to open `{}`", path.display()))?;
- // Write to the lock file to indicate that unpacking was successful.
write!(ok, "ok")?;
Ok(unpack_dir.to_path_buf())
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink