Skip to content

[nightly] Fix CVE-2024-43402 #129962

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 4, 2024
Merged

[nightly] Fix CVE-2024-43402 #129962

merged 1 commit into from
Sep 4, 2024

Conversation

pietroalbini
Copy link
Member

Include the for CVE-2024-43402 in nightly. See GHSA-2xg3-7mm6-98jj for more information about it.

r? @ghost

@rustbot rustbot added O-windows Operating system: Windows S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Sep 4, 2024
@pietroalbini
Copy link
Member Author

@bors r=Amanieu p=500 rollup=never

@bors
Copy link
Collaborator

bors commented Sep 4, 2024

📌 Commit c811d31 has been approved by Amanieu

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Sep 4, 2024
@bors
Copy link
Collaborator

bors commented Sep 4, 2024

⌛ Testing commit c811d31 with merge 4ac7bcb...

@bors
Copy link
Collaborator

bors commented Sep 4, 2024

☀️ Test successful - checks-actions
Approved by: Amanieu
Pushing 4ac7bcb to master...

@bors bors added the merged-by-bors This PR was explicitly merged by bors. label Sep 4, 2024
@bors bors merged commit 4ac7bcb into rust-lang:master Sep 4, 2024
7 checks passed
@rustbot rustbot added this to the 1.83.0 milestone Sep 4, 2024
@bors bors mentioned this pull request Sep 4, 2024
Closed
@pietroalbini pietroalbini deleted the pa-cve-2024-43402-nightly branch September 4, 2024 21:44
@rust-timer
Copy link
Collaborator

Finished benchmarking commit (4ac7bcb): comparison URL.

Overall result: ✅ improvements - no action needed

@rustbot label: -perf-regression

Instruction count

This is a highly reliable metric that was used to determine the overall result at the top of this comment.

mean range count
Regressions ❌
(primary)		 - - 0
Regressions ❌
(secondary)		 - - 0
Improvements ✅
(primary)		 - - 0
Improvements ✅
(secondary)		 -5.0% [-5.0%, -5.0%] 1
All ❌✅ (primary) - - 0

Max RSS (memory usage)

Results (secondary -2.7%)

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

mean range count
Regressions ❌
(primary)		 - - 0
Regressions ❌
(secondary)		 - - 0
Improvements ✅
(primary)		 - - 0
Improvements ✅
(secondary)		 -2.7% [-2.9%, -2.6%] 2
All ❌✅ (primary) - - 0

Cycles

This benchmark run did not return any relevant results for this metric.

Binary size

Results (secondary -0.1%)

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

mean range count
Regressions ❌
(primary)		 - - 0
Regressions ❌
(secondary)		 - - 0
Improvements ✅
(primary)		 - - 0
Improvements ✅
(secondary)		 -0.1% [-0.1%, -0.1%] 1
All ❌✅ (primary) - - 0

Bootstrap: 751.345s -> 751.188s (-0.02%)
Artifact size: 340.69 MiB -> 340.71 MiB (0.01%)

@tgross35 tgross35 mentioned this pull request Sep 4, 2024
Merged
squeek502 added a commit to squeek502/zig that referenced this pull request Mar 26, 2025
@squeek502
Add test to ensure the BatBadBut mitigation handles trailing . and …
832f597 
…space safely

Context:
- https://blog.rust-lang.org/2024/09/04/cve-2024-43402.html
- rust-lang/rust#129962

Note that the Rust test case for this checks that it executes the batch file successfully with the proper mitigation in place, while the Zig test case expects a FileNotFound error. This is because of a PATHEXT optimization that Zig does, and that Rust doesn't do because Rust doesn't do PATHEXT appending (it only appends .exe specifically). See the added comment for more details.
@squeek502 squeek502 mentioned this pull request Mar 26, 2025
Merged
alexrp pushed a commit to ziglang/zig that referenced this pull request Mar 26, 2025
@squeek502 @alexrp
Add test to ensure the BatBadBut mitigation handles trailing . and …
63014d3 
…space safely

Context:
- https://blog.rust-lang.org/2024/09/04/cve-2024-43402.html
- rust-lang/rust#129962

Note that the Rust test case for this checks that it executes the batch file successfully with the proper mitigation in place, while the Zig test case expects a FileNotFound error. This is because of a PATHEXT optimization that Zig does, and that Rust doesn't do because Rust doesn't do PATHEXT appending (it only appends .exe specifically). See the added comment for more details.
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
merged-by-bors This PR was explicitly merged by bors. O-windows Operating system: Windows S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-libs Relevant to the library team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
1.83.0
Development

Successfully merging this pull request may close these issues.
5 participants
@pietroalbini @bors @rust-timer @rustbot @ChrisDenton