diff options
Diffstat (limited to 'dev-lang/rust/files/1.63.0-CVE-2022-36113.patch')
-rw-r--r-- | dev-lang/rust/files/1.63.0-CVE-2022-36113.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/dev-lang/rust/files/1.63.0-CVE-2022-36113.patch b/dev-lang/rust/files/1.63.0-CVE-2022-36113.patch new file mode 100644 index 000000000000..a87687dce387 --- /dev/null +++ b/dev-lang/rust/files/1.63.0-CVE-2022-36113.patch @@ -0,0 +1,48 @@ +From 97b80919e404b0768ea31ae329c3b4da54bed05a Mon Sep 17 00:00:00 2001 +From: Josh Triplett <josh@joshtriplett.org> +Date: Thu, 18 Aug 2022 17:17:19 +0200 +Subject: [PATCH] CVE-2022-36113: avoid unpacking .cargo-ok from the crate + +--- + src/cargo/sources/registry/mod.rs | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) +gyakovlev: 'sed -i 's|/src/cargo|/src/tools/cargo/src/cargo|g' + +diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs +index c17b822fd0..a2863bf78a 100644 +--- a/src/tools/cargo/src/cargo/sources/registry/mod.rs ++++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs +@@ -639,6 +639,13 @@ impl<'cfg> RegistrySource<'cfg> { + prefix + ) + } ++ // Prevent unpacking the lockfile from the crate itself. ++ if entry_path ++ .file_name() ++ .map_or(false, |p| p == PACKAGE_SOURCE_LOCK) ++ { ++ continue; ++ } + // Unpacking failed + let mut result = entry.unpack_in(parent).map_err(anyhow::Error::from); + if cfg!(windows) && restricted_names::is_windows_reserved_path(&entry_path) { +@@ -654,16 +661,14 @@ impl<'cfg> RegistrySource<'cfg> { + .with_context(|| format!("failed to unpack entry at `{}`", entry_path.display()))?; + } + +- // The lock file is created after unpacking so we overwrite a lock file +- // which may have been extracted from the package. ++ // Now that we've finished unpacking, create and write to the lock file to indicate that ++ // unpacking was successful. + let mut ok = OpenOptions::new() +- .create(true) ++ .create_new(true) + .read(true) + .write(true) + .open(&path) + .with_context(|| format!("failed to open `{}`", path.display()))?; +- +- // Write to the lock file to indicate that unpacking was successful. + write!(ok, "ok")?; + + Ok(unpack_dir.to_path_buf()) |