[bug#53461] [kiasoc5@tutanota.com: Rust CVE]

[bug#53461] [kiasoc5@tutanota.com: Rust CVE]

[Leo Famulari]

----- Forwarded message from kiasoc5@tutanota.com -----

Date: Sun, 23 Jan 2022 01:20:10 +0100 (CET)
From: kiasoc5@tutanota.com
To: guix-security@gnu.org
Subject: Rust CVE

Hi,

Rust has a new cve that is only mitigated by upgrading to Rust 1.58+.

https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html

Attached is a patch that adds rust-1.58.1. It doesn't replace the default as I'm not sure whether this should be grafted or not.

Thanks
kiasoc5

From 753f4e9c68a7b12267989d1721e97841d9f499d0 Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@tutanota.com>
Date: Sat, 22 Jan 2022 19:10:50 -0500
Subject: [PATCH] gnu: Add rust-1.58.

* gnu/packages/rust.scm (rust-1.58): New variable.
---
 gnu/packages/rust.scm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index 5a6d4a5c30..c9b44da844 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -784,6 +784,10 @@ (define rust-1.57
                             `("procps" ,procps)
                             (package-native-inputs base-rust))))))
 
+(define rust-1.58
+  (rust-bootstrapped-package
+   rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
+
 ;;; Note: Only the latest versions of Rust are supported and tested.  The
 ;;; intermediate rusts are built for bootstrapping purposes and should not
 ;;; be relied upon.  This is to ease maintenance and reduce the time

base-commit: dfc32d8d997da74a6e838b450649bd89905ffdc3
-- 
2.34.1



----- End forwarded message -----

[bug#53461] [kiasoc5@tutanota.com: Rust CVE]

[Maxim Cournoyer]

Hi Leo,

Leo Famulari <leo@famulari.name> writes:

> From: kiasoc5@tutanota.com
> Subject: Rust CVE
> To: guix-security@gnu.org
> Date: Sun, 23 Jan 2022 01:20:10 +0100 (CET) (3 hours, 7 minutes ago)
>
> Hi,
>
> Rust has a new cve that is only mitigated by upgrading to Rust 1.58+.
>
> https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html
>
> Attached is a patch that adds rust-1.58.1. It doesn't replace the
> default as I'm not sure whether this should be grafted or not.
>
> Thanks
> kiasoc5
>
>>From 753f4e9c68a7b12267989d1721e97841d9f499d0 Mon Sep 17 00:00:00 2001
> From: kiasoc5 <kiasoc5@tutanota.com>
> Date: Sat, 22 Jan 2022 19:10:50 -0500
> Subject: [PATCH] gnu: Add rust-1.58.
>
> * gnu/packages/rust.scm (rust-1.58): New variable.
> ---
>  gnu/packages/rust.scm | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
> index 5a6d4a5c30..c9b44da844 100644
> --- a/gnu/packages/rust.scm
> +++ b/gnu/packages/rust.scm
> @@ -784,6 +784,10 @@ (define rust-1.57
>                              `("procps" ,procps)
>                              (package-native-inputs base-rust))))))
>  
> +(define rust-1.58
> +  (rust-bootstrapped-package
> +   rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
> +

The rust-1.57 variable should probably be made private or hidden now.

Also, unless we rebuild all crates with rust-1.58, it seems to me like
we won't be addressing the problem, as the CVE touches the
'remove_dir_all' procedure part of the standard library of Rust (and we
all know Rust likes to build things statically).

Am I missing something?

Thanks,

Maxim

[bug#53461] [kiasoc5@tutanota.com: Rust CVE]

[Leo Famulari]

On Sat, Jan 22, 2022 at 10:33:52PM -0500, Maxim Cournoyer wrote:
> The rust-1.57 variable should probably be made private or hidden now.
> 
> Also, unless we rebuild all crates with rust-1.58, it seems to me like
> we won't be addressing the problem, as the CVE touches the
> 'remove_dir_all' procedure part of the standard library of Rust (and we
> all know Rust likes to build things statically).
> 
> Am I missing something?

I don't know about Rust things! I just forwarded this message from the
private list to the public list.

[bug#53461] [kiasoc5@tutanota.com: Rust CVE]

[Maxim Cournoyer]

Hi,

Leo Famulari <leo@famulari.name> writes:

> On Sat, Jan 22, 2022 at 10:33:52PM -0500, Maxim Cournoyer wrote:
>> The rust-1.57 variable should probably be made private or hidden now.
>> 
>> Also, unless we rebuild all crates with rust-1.58, it seems to me like
>> we won't be addressing the problem, as the CVE touches the
>> 'remove_dir_all' procedure part of the standard library of Rust (and we
>> all know Rust likes to build things statically).
>> 
>> Am I missing something?
>
> I don't know about Rust things! I just forwarded this message from the
> private list to the public list.

OK!  I just asked in #rust and they confirmed what I thought (all crates
-- well the ones using 'std::fs::remove_dir_all' but we can't easily
know) needs to be rebuilt if we are to patch that CVE.

Maxim

[bug#53461] [kiasoc5@tutanota.com: Rust CVE]

[Leo Famulari]

On Mon, Jan 24, 2022 at 04:31:25PM -0500, Maxim Cournoyer wrote:
> OK!  I just asked in #rust and they confirmed what I thought (all crates
> -- well the ones using 'std::fs::remove_dir_all' but we can't easily
> know) needs to be rebuilt if we are to patch that CVE.

Okay. Let's see...

------
$ git grep cargo-build-system gnu/packages | wc -l
2152
------

I suppose we could do it quickly on a branch.

[bug#53461] [kiasoc5@tutanota.com: Rust CVE]

[Maxim Cournoyer]

Hello,

Leo Famulari <leo@famulari.name> writes:

> On Mon, Jan 24, 2022 at 04:31:25PM -0500, Maxim Cournoyer wrote:
>> OK!  I just asked in #rust and they confirmed what I thought (all crates
>> -- well the ones using 'std::fs::remove_dir_all' but we can't easily
>> know) needs to be rebuilt if we are to patch that CVE.
>
> Okay. Let's see...
>
> ------
> $ git grep cargo-build-system gnu/packages | wc -l
> 2152
> ------
>
> I suppose we could do it quickly on a branch.

Note that Rust is now needed to build all of GTK, at least on x86_64.
That's a rather large rebuild.

Maxim

[bug#53461] [kiasoc5@tutanota.com: Rust CVE]

[Leo Famulari]

On Tue, Jan 25, 2022 at 06:06:55PM -0500, Maxim Cournoyer wrote:
> > I suppose we could do it quickly on a branch.
> 
> Note that Rust is now needed to build all of GTK, at least on x86_64.
> That's a rather large rebuild.

Oh, right.

Well, I wonder what we should do?

[bug#53461] [kiasoc5@tutanota.com: Rust CVE]

[Maxim Cournoyer]

Hello,

Leo Famulari <leo@famulari.name> writes:

> On Tue, Jan 25, 2022 at 06:06:55PM -0500, Maxim Cournoyer wrote:
>> > I suppose we could do it quickly on a branch.
>> 
>> Note that Rust is now needed to build all of GTK, at least on x86_64.
>> That's a rather large rebuild.
>
> Oh, right.
>
> Well, I wonder what we should do?

Perhaps a rebuild branch for it... but let's finish migrating to the new
SSD storage first (we're still just copying part of /var/cache into it).

This should give us some time to update the Rust chain to 1.58.1.  Would
you or anyone else like to try?  It's nothing to difficult; it consists
of moving the tests bits to 1.58.1 (the leaf package), and hide the
previous versions (Rust only support the latest release).  Then rebuild
the world with it.  We could use this opportunity to ungraft too.

Thanks,

Maxim

[bug#53461] [kiasoc5@tutanota.com: Rust CVE]

[kiasoc5--- via Guix-patches via]

[-- Attachment #1: Type: text/plain, Size: 172 bytes --]

Rust 1.59.0 was released, I've updated this patch. Rust 1.59.0 builds fine but I haven't had a chance to rebuild the world yet. Not sure how to do the commit message here.

[-- Attachment #2: 0001-gnu-Add-rust-1.58.patch --]
[-- Type: text/x-patch, Size: 1037 bytes --]

From 9a2a3c79a43f6ebf8d9381cf8aed73ac366e10c9 Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@tutanota.com>
Date: Sat, 22 Jan 2022 19:10:50 -0500
Subject: [PATCH 1/2] gnu: Add rust-1.58.

* gnu/packages/rust.scm (rust-1.58): New variable.
---
 gnu/packages/rust.scm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index 26d6df7a94..9652f331cf 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -784,6 +784,10 @@ (define rust-1.57
                             `("procps" ,procps)
                             (package-native-inputs base-rust))))))
 
+(define rust-1.58
+  (rust-bootstrapped-package
+   rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
+
 ;;; Note: Only the latest versions of Rust are supported and tested.  The
 ;;; intermediate rusts are built for bootstrapping purposes and should not
 ;;; be relied upon.  This is to ease maintenance and reduce the time

base-commit: e725b24d119b47fcfceb9e9ba79ee832318c289e
-- 
2.35.1


[-- Attachment #3: 0002-gnu-Add-rust-1.59.patch --]
[-- Type: text/x-patch, Size: 1154 bytes --]

From 8e03a6a0a100c751338c1ddfa8d58fd49316e427 Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@tutanota.com>
Date: Fri, 25 Feb 2022 09:35:56 -0500
Subject: [PATCH 2/2] gnu: Add rust 1.59.

* gnu/packages/rust.scm (rust-1.59): New variable.
---
 gnu/packages/rust.scm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index 9652f331cf..589c8a1b21 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -788,11 +788,14 @@ (define rust-1.58
   (rust-bootstrapped-package
    rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
 
+(define rust-1.59
+  (rust-bootstrapped-package
+   rust-1.58 "1.59.0" "1yc5bwcbmbwyvpfq7zvra78l0r8y3lbv60kbr62fzz2vx2pfxj57"))
 ;;; Note: Only the latest versions of Rust are supported and tested.  The
 ;;; intermediate rusts are built for bootstrapping purposes and should not
 ;;; be relied upon.  This is to ease maintenance and reduce the time
 ;;; required to build the full Rust bootstrap chain.
-(define-public rust rust-1.57)
+(define-public rust rust-1.59)
 
 (define-public rust-src
   (hidden-package
-- 
2.35.1

[bug#53461] [kiasoc5@tutanota.com: Rust CVE]

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 656 bytes --]

kiasoc5--- via Guix-patches via schreef op za 26-02-2022 om 07:07
[+0100]:
> +(define rust-1.59
> +  (rust-bootstrapped-package
> +   rust-1.58 "1.59.0"
> "1yc5bwcbmbwyvpfq7zvra78l0r8y3lbv60kbr62fzz2vx2pfxj57"))

Is building rust@1.59 with rust@1.58 necessary?  Can it be built
with an earlier rust instead?  I.e., would

(define rust-1.59 (rust-bootstrapped-package rust-1.57 "1.59.0" [...]))

or even

(define rust-1.59 
  (package
    (inherit rust-1.56)
    (source
      (origin
        (inherit (package-source rust-1.56))
        (uri (rust-uri version))
        (sha256 (base32 [...]))))))

work?

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

[bug#53461] [kiasoc5@tutanota.com: Rust CVE]

[kiasoc5--- via Guix-patches via]

mrustc v0.10 was just released, and can bootstrap Rust 1.54. It would help to update mrustc first, then we can try to bootstrap 1.59 from 1.54 and hopefully save some compile time :)


Feb 26, 2022, 10:35 by maximedevos@telenet.be:

> kiasoc5--- via Guix-patches via schreef op za 26-02-2022 om 07:07
> [+0100]:
>
>> +(define rust-1.59
>> +  (rust-bootstrapped-package
>> +   rust-1.58 "1.59.0"
>> "1yc5bwcbmbwyvpfq7zvra78l0r8y3lbv60kbr62fzz2vx2pfxj57"))
>>
>
> Is building rust@1.59 with rust@1.58 necessary?  Can it be built
> with an earlier rust instead?  I.e., would
>
> (define rust-1.59 (rust-bootstrapped-package rust-1.57 "1.59.0" [...]))
>
> or even
>
> (define rust-1.59 
>  (package
>  (inherit rust-1.56)
>  (source
>  (origin
>  (inherit (package-source rust-1.56))
>  (uri (rust-uri version))
>  (sha256 (base32 [...]))))))
>
> work?
>
> Greetings,
> Maxime.
>