Skip to content

[beta] Fix for CVE-2022-36113 and CVE-2022-36114 #11088

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 14, 2022
Merged

[beta] Fix for CVE-2022-36113 and CVE-2022-36114 #11088

merged 5 commits into from
Sep 14, 2022

Conversation

pietroalbini
Copy link
Member

This PR includes the fixes for CVE-2022-36113 and CVE-2022-36114 targeting the beta branch. See the advisory for more information about the vulnerabilities.

joshtriplett and others added 4 commits September 14, 2022 10:54
@joshtriplett @pietroalbini
CVE-2022-36113: avoid unpacking .cargo-ok from the crate
15f1e4b
@weihanglo @pietroalbini
CVE-2022-36113: add tests
2bbc8a0
@joshtriplett @pietroalbini
CVE-2022-36114: limit the maximum unpacked size of a crate to 512MB
2b68d3c 
This gives users of custom registries the same protections, using the
same size limit that crates.io uses.

`LimitErrorReader` code copied from crates.io.
@weihanglo @pietroalbini
CVE-2022-36114: add tests
481cfcc
@rust-highfive
Copy link

r? @weihanglo

(rust-highfive has picked a reviewer for you, use r? to override)

@rust-highfive
Copy link

⚠️ Warning ⚠️

  • Pull requests are usually filed against the master branch for this repo, but this one is against rust-1.64.0. Please double check that you specified the right target!

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Sep 14, 2022
@weihanglo
Copy link
Member

Thank you!

@bors r+

@bors
Copy link
Contributor

bors commented Sep 14, 2022

📌 Commit ded21af has been approved by weihanglo

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Sep 14, 2022
@bors
Copy link
Contributor

bors commented Sep 14, 2022

⌛ Testing commit ded21af with merge 8ddc422...

@bors
Copy link
Contributor

bors commented Sep 14, 2022

☀️ Test successful - checks-actions
Approved by: weihanglo
Pushing 8ddc422 to rust-1.64.0...

@bors bors merged commit 8ddc422 into rust-lang:rust-1.64.0 Sep 14, 2022
@weihanglo weihanglo mentioned this pull request Sep 14, 2022
Merged
bors added a commit that referenced this pull request Sep 15, 2022
@bors
Auto merge of #11090 - weihanglo:ignore-test-on-release-mode, r=epage
099bd8a 
[Beta] Run `reach_max_unpack_size` test only on debug build

`cargo test --release` fails on test `reach_max_unpack_size` as the binary to exercise is optimized. The alternative approach is removing `cfg!(debug_assertions)` from this line.
<https://github.com/rust-lang/cargo/blob/9ef926dafc217bf4ab781ea2d9bbd029359bd241/src/cargo/sources/registry/mod.rs#L842>

#11088
@pietroalbini pietroalbini deleted the pa-cves-beta branch September 16, 2022 08:52
weihanglo added a commit to weihanglo/rust that referenced this pull request Sep 16, 2022
@weihanglo
[beta] Update cargo
3bb1c52 
3 commits in 4bcb3c65e440a12044092b85ffea8fac6cb96f42..387270bc7f446d17869c7f208207c73231d6a252
2022-08-17 21:01:34 +0000 to 2022-09-16 20:18:27 +0000

- Beta backport rust-lang/cargo#11082 (rust-lang/cargo#11097)
- [Beta] Run `reach_max_unpack_size` test only on debug build (rust-lang/cargo#11090)
- [beta] Fix for CVE-2022-36113 and CVE-2022-36114 (rust-lang/cargo#11088)
@weihanglo weihanglo mentioned this pull request Sep 16, 2022
Closed
bors pushed a commit to rust-lang-ci/rust that referenced this pull request Sep 19, 2022
@weihanglo @pietroalbini
[beta] Update cargo
eaab930 
3 commits in 4bcb3c65e440a12044092b85ffea8fac6cb96f42..387270bc7f446d17869c7f208207c73231d6a252
2022-08-17 21:01:34 +0000 to 2022-09-16 20:18:27 +0000

- Beta backport rust-lang/cargo#11082 (rust-lang/cargo#11097)
- [Beta] Run `reach_max_unpack_size` test only on debug build (rust-lang/cargo#11090)
- [beta] Fix for CVE-2022-36113 and CVE-2022-36114 (rust-lang/cargo#11088)
@ehuss ehuss mentioned this pull request Sep 19, 2022
Merged
@ehuss ehuss added this to the 1.64.0 milestone Sep 21, 2022
@0x307e 0x307e mentioned this pull request Sep 22, 2022
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@weihanglo weihanglo weihanglo approved these changes

Assignees

@weihanglo weihanglo

Labels
S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Milestone
1.64.0
Development

Successfully merging this pull request may close these issues.
6 participants
@pietroalbini @rust-highfive @weihanglo @bors @ehuss @joshtriplett