GNU bug report logs -
#53461
[kiasoc5@tutanota.com: Rust CVE]
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 53461 in the body.
You can then email your comments to 53461 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#53461; Package
guix-patches.
(Sun, 23 Jan 2022 00:31:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sun, 23 Jan 2022 00:31:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
----- Forwarded message from kiasoc5 <at> tutanota.com -----
Date: Sun, 23 Jan 2022 01:20:10 +0100 (CET)
From: kiasoc5 <at> tutanota.com
To: guix-security <at> gnu.org
Subject: Rust CVE
Hi,
Rust has a new cve that is only mitigated by upgrading to Rust 1.58+.
https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html
Attached is a patch that adds rust-1.58.1. It doesn't replace the default as I'm not sure whether this should be grafted or not.
Thanks
kiasoc5
From 753f4e9c68a7b12267989d1721e97841d9f499d0 Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5 <at> tutanota.com>
Date: Sat, 22 Jan 2022 19:10:50 -0500
Subject: [PATCH] gnu: Add rust-1.58.
* gnu/packages/rust.scm (rust-1.58): New variable.
---
gnu/packages/rust.scm | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index 5a6d4a5c30..c9b44da844 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -784,6 +784,10 @@ (define rust-1.57
`("procps" ,procps)
(package-native-inputs base-rust))))))
+(define rust-1.58
+ (rust-bootstrapped-package
+ rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
+
;;; Note: Only the latest versions of Rust are supported and tested. The
;;; intermediate rusts are built for bootstrapping purposes and should not
;;; be relied upon. This is to ease maintenance and reduce the time
base-commit: dfc32d8d997da74a6e838b450649bd89905ffdc3
--
2.34.1
----- End forwarded message -----
Information forwarded
to
guix-patches <at> gnu.org:
bug#53461; Package
guix-patches.
(Sun, 23 Jan 2022 03:34:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 53461 <at> debbugs.gnu.org (full text, mbox):
Hi Leo,
Leo Famulari <leo <at> famulari.name> writes:
> From: kiasoc5 <at> tutanota.com
> Subject: Rust CVE
> To: guix-security <at> gnu.org
> Date: Sun, 23 Jan 2022 01:20:10 +0100 (CET) (3 hours, 7 minutes ago)
>
> Hi,
>
> Rust has a new cve that is only mitigated by upgrading to Rust 1.58+.
>
> https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html
>
> Attached is a patch that adds rust-1.58.1. It doesn't replace the
> default as I'm not sure whether this should be grafted or not.
>
> Thanks
> kiasoc5
>
>>From 753f4e9c68a7b12267989d1721e97841d9f499d0 Mon Sep 17 00:00:00 2001
> From: kiasoc5 <kiasoc5 <at> tutanota.com>
> Date: Sat, 22 Jan 2022 19:10:50 -0500
> Subject: [PATCH] gnu: Add rust-1.58.
>
> * gnu/packages/rust.scm (rust-1.58): New variable.
> ---
> gnu/packages/rust.scm | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
> index 5a6d4a5c30..c9b44da844 100644
> --- a/gnu/packages/rust.scm
> +++ b/gnu/packages/rust.scm
> @@ -784,6 +784,10 @@ (define rust-1.57
> `("procps" ,procps)
> (package-native-inputs base-rust))))))
>
> +(define rust-1.58
> + (rust-bootstrapped-package
> + rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
> +
The rust-1.57 variable should probably be made private or hidden now.
Also, unless we rebuild all crates with rust-1.58, it seems to me like
we won't be addressing the problem, as the CVE touches the
'remove_dir_all' procedure part of the standard library of Rust (and we
all know Rust likes to build things statically).
Am I missing something?
Thanks,
Maxim
Information forwarded
to
guix-patches <at> gnu.org:
bug#53461; Package
guix-patches.
(Sun, 23 Jan 2022 19:29:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 53461 <at> debbugs.gnu.org (full text, mbox):
On Sat, Jan 22, 2022 at 10:33:52PM -0500, Maxim Cournoyer wrote:
> The rust-1.57 variable should probably be made private or hidden now.
>
> Also, unless we rebuild all crates with rust-1.58, it seems to me like
> we won't be addressing the problem, as the CVE touches the
> 'remove_dir_all' procedure part of the standard library of Rust (and we
> all know Rust likes to build things statically).
>
> Am I missing something?
I don't know about Rust things! I just forwarded this message from the
private list to the public list.
Information forwarded
to
guix-patches <at> gnu.org:
bug#53461; Package
guix-patches.
(Mon, 24 Jan 2022 21:32:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 53461 <at> debbugs.gnu.org (full text, mbox):
Hi,
Leo Famulari <leo <at> famulari.name> writes:
> On Sat, Jan 22, 2022 at 10:33:52PM -0500, Maxim Cournoyer wrote:
>> The rust-1.57 variable should probably be made private or hidden now.
>>
>> Also, unless we rebuild all crates with rust-1.58, it seems to me like
>> we won't be addressing the problem, as the CVE touches the
>> 'remove_dir_all' procedure part of the standard library of Rust (and we
>> all know Rust likes to build things statically).
>>
>> Am I missing something?
>
> I don't know about Rust things! I just forwarded this message from the
> private list to the public list.
OK! I just asked in #rust and they confirmed what I thought (all crates
-- well the ones using 'std::fs::remove_dir_all' but we can't easily
know) needs to be rebuilt if we are to patch that CVE.
Maxim
Information forwarded
to
guix-patches <at> gnu.org:
bug#53461; Package
guix-patches.
(Tue, 25 Jan 2022 04:32:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 53461 <at> debbugs.gnu.org (full text, mbox):
On Mon, Jan 24, 2022 at 04:31:25PM -0500, Maxim Cournoyer wrote:
> OK! I just asked in #rust and they confirmed what I thought (all crates
> -- well the ones using 'std::fs::remove_dir_all' but we can't easily
> know) needs to be rebuilt if we are to patch that CVE.
Okay. Let's see...
------
$ git grep cargo-build-system gnu/packages | wc -l
2152
------
I suppose we could do it quickly on a branch.
Information forwarded
to
guix-patches <at> gnu.org:
bug#53461; Package
guix-patches.
(Tue, 25 Jan 2022 23:08:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 53461 <at> debbugs.gnu.org (full text, mbox):
Hello,
Leo Famulari <leo <at> famulari.name> writes:
> On Mon, Jan 24, 2022 at 04:31:25PM -0500, Maxim Cournoyer wrote:
>> OK! I just asked in #rust and they confirmed what I thought (all crates
>> -- well the ones using 'std::fs::remove_dir_all' but we can't easily
>> know) needs to be rebuilt if we are to patch that CVE.
>
> Okay. Let's see...
>
> ------
> $ git grep cargo-build-system gnu/packages | wc -l
> 2152
> ------
>
> I suppose we could do it quickly on a branch.
Note that Rust is now needed to build all of GTK, at least on x86_64.
That's a rather large rebuild.
Maxim
Information forwarded
to
guix-patches <at> gnu.org:
bug#53461; Package
guix-patches.
(Wed, 26 Jan 2022 02:58:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 53461 <at> debbugs.gnu.org (full text, mbox):
On Tue, Jan 25, 2022 at 06:06:55PM -0500, Maxim Cournoyer wrote:
> > I suppose we could do it quickly on a branch.
>
> Note that Rust is now needed to build all of GTK, at least on x86_64.
> That's a rather large rebuild.
Oh, right.
Well, I wonder what we should do?
Information forwarded
to
guix-patches <at> gnu.org:
bug#53461; Package
guix-patches.
(Thu, 27 Jan 2022 22:00:03 GMT)
Full text and
rfc822 format available.
Message #26 received at 53461 <at> debbugs.gnu.org (full text, mbox):
Hello,
Leo Famulari <leo <at> famulari.name> writes:
> On Tue, Jan 25, 2022 at 06:06:55PM -0500, Maxim Cournoyer wrote:
>> > I suppose we could do it quickly on a branch.
>>
>> Note that Rust is now needed to build all of GTK, at least on x86_64.
>> That's a rather large rebuild.
>
> Oh, right.
>
> Well, I wonder what we should do?
Perhaps a rebuild branch for it... but let's finish migrating to the new
SSD storage first (we're still just copying part of /var/cache into it).
This should give us some time to update the Rust chain to 1.58.1. Would
you or anyone else like to try? It's nothing to difficult; it consists
of moving the tests bits to 1.58.1 (the leaf package), and hide the
previous versions (Rust only support the latest release). Then rebuild
the world with it. We could use this opportunity to ungraft too.
Thanks,
Maxim
Information forwarded
to
guix-patches <at> gnu.org:
bug#53461; Package
guix-patches.
(Sat, 26 Feb 2022 06:08:01 GMT)
Full text and
rfc822 format available.
Message #29 received at 53461 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Rust 1.59.0 was released, I've updated this patch. Rust 1.59.0 builds fine but I haven't had a chance to rebuild the world yet. Not sure how to do the commit message here.
[0001-gnu-Add-rust-1.58.patch (text/x-patch, attachment)]
[0002-gnu-Add-rust-1.59.patch (text/x-patch, attachment)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#53461; Package
guix-patches.
(Sat, 26 Feb 2022 10:36:01 GMT)
Full text and
rfc822 format available.
Message #32 received at 53461 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
kiasoc5--- via Guix-patches via schreef op za 26-02-2022 om 07:07
[+0100]:
> +(define rust-1.59
> + (rust-bootstrapped-package
> + rust-1.58 "1.59.0"
> "1yc5bwcbmbwyvpfq7zvra78l0r8y3lbv60kbr62fzz2vx2pfxj57"))
Is building rust <at> 1.59 with rust <at> 1.58 necessary? Can it be built
with an earlier rust instead? I.e., would
(define rust-1.59 (rust-bootstrapped-package rust-1.57 "1.59.0" [...]))
or even
(define rust-1.59
(package
(inherit rust-1.56)
(source
(origin
(inherit (package-source rust-1.56))
(uri (rust-uri version))
(sha256 (base32 [...]))))))
work?
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#53461; Package
guix-patches.
(Sun, 27 Feb 2022 06:51:01 GMT)
Full text and
rfc822 format available.
Message #35 received at 53461 <at> debbugs.gnu.org (full text, mbox):
mrustc v0.10 was just released, and can bootstrap Rust 1.54. It would help to update mrustc first, then we can try to bootstrap 1.59 from 1.54 and hopefully save some compile time :)
Feb 26, 2022, 10:35 by maximedevos <at> telenet.be:
> kiasoc5--- via Guix-patches via schreef op za 26-02-2022 om 07:07
> [+0100]:
>
>> +(define rust-1.59
>> + (rust-bootstrapped-package
>> + rust-1.58 "1.59.0"
>> "1yc5bwcbmbwyvpfq7zvra78l0r8y3lbv60kbr62fzz2vx2pfxj57"))
>>
>
> Is building rust <at> 1.59 with rust <at> 1.58 necessary? Can it be built
> with an earlier rust instead? I.e., would
>
> (define rust-1.59 (rust-bootstrapped-package rust-1.57 "1.59.0" [...]))
>
> or even
>
> (define rust-1.59
> (package
> (inherit rust-1.56)
> (source
> (origin
> (inherit (package-source rust-1.56))
> (uri (rust-uri version))
> (sha256 (base32 [...]))))))
>
> work?
>
> Greetings,
> Maxime.
>
Merged 53461 54439.
Request was from
Liliana Marie Prikler <liliana.prikler <at> ist.tugraz.at>
to
control <at> debbugs.gnu.org.
(Fri, 18 Mar 2022 07:12:02 GMT)
Full text and
rfc822 format available.
Merged 53461 54439 56684.
Request was from
Maxime Devos <maximedevos <at> telenet.be>
to
control <at> debbugs.gnu.org.
(Fri, 22 Jul 2022 00:10:01 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 02 Sep 2022 11:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 236 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.