* [bug#53461] [kiasoc5@tutanota.com: Rust CVE]
@ 2022-01-23 0:29 Leo Famulari
2022-01-23 3:33 ` Maxim Cournoyer
2022-02-26 6:07 ` kiasoc5--- via Guix-patches via
0 siblings, 2 replies; 11+ messages in thread
From: Leo Famulari @ 2022-01-23 0:29 UTC (permalink / raw)
To: 53461
----- Forwarded message from kiasoc5@tutanota.com -----
Date: Sun, 23 Jan 2022 01:20:10 +0100 (CET)
From: kiasoc5@tutanota.com
To: guix-security@gnu.org
Subject: Rust CVE
Hi,
Rust has a new cve that is only mitigated by upgrading to Rust 1.58+.
https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html
Attached is a patch that adds rust-1.58.1. It doesn't replace the default as I'm not sure whether this should be grafted or not.
Thanks
kiasoc5
From 753f4e9c68a7b12267989d1721e97841d9f499d0 Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@tutanota.com>
Date: Sat, 22 Jan 2022 19:10:50 -0500
Subject: [PATCH] gnu: Add rust-1.58.
* gnu/packages/rust.scm (rust-1.58): New variable.
---
gnu/packages/rust.scm | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index 5a6d4a5c30..c9b44da844 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -784,6 +784,10 @@ (define rust-1.57
`("procps" ,procps)
(package-native-inputs base-rust))))))
+(define rust-1.58
+ (rust-bootstrapped-package
+ rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
+
;;; Note: Only the latest versions of Rust are supported and tested. The
;;; intermediate rusts are built for bootstrapping purposes and should not
;;; be relied upon. This is to ease maintenance and reduce the time
base-commit: dfc32d8d997da74a6e838b450649bd89905ffdc3
--
2.34.1
----- End forwarded message -----
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [bug#53461] [kiasoc5@tutanota.com: Rust CVE]
2022-01-23 0:29 [bug#53461] [kiasoc5@tutanota.com: Rust CVE] Leo Famulari
@ 2022-01-23 3:33 ` Maxim Cournoyer
2022-01-23 19:28 ` Leo Famulari
2022-02-26 6:07 ` kiasoc5--- via Guix-patches via
1 sibling, 1 reply; 11+ messages in thread
From: Maxim Cournoyer @ 2022-01-23 3:33 UTC (permalink / raw)
To: Leo Famulari; +Cc: 53461
Hi Leo,
Leo Famulari <leo@famulari.name> writes:
> From: kiasoc5@tutanota.com
> Subject: Rust CVE
> To: guix-security@gnu.org
> Date: Sun, 23 Jan 2022 01:20:10 +0100 (CET) (3 hours, 7 minutes ago)
>
> Hi,
>
> Rust has a new cve that is only mitigated by upgrading to Rust 1.58+.
>
> https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html
>
> Attached is a patch that adds rust-1.58.1. It doesn't replace the
> default as I'm not sure whether this should be grafted or not.
>
> Thanks
> kiasoc5
>
>>From 753f4e9c68a7b12267989d1721e97841d9f499d0 Mon Sep 17 00:00:00 2001
> From: kiasoc5 <kiasoc5@tutanota.com>
> Date: Sat, 22 Jan 2022 19:10:50 -0500
> Subject: [PATCH] gnu: Add rust-1.58.
>
> * gnu/packages/rust.scm (rust-1.58): New variable.
> ---
> gnu/packages/rust.scm | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
> index 5a6d4a5c30..c9b44da844 100644
> --- a/gnu/packages/rust.scm
> +++ b/gnu/packages/rust.scm
> @@ -784,6 +784,10 @@ (define rust-1.57
> `("procps" ,procps)
> (package-native-inputs base-rust))))))
>
> +(define rust-1.58
> + (rust-bootstrapped-package
> + rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
> +
The rust-1.57 variable should probably be made private or hidden now.
Also, unless we rebuild all crates with rust-1.58, it seems to me like
we won't be addressing the problem, as the CVE touches the
'remove_dir_all' procedure part of the standard library of Rust (and we
all know Rust likes to build things statically).
Am I missing something?
Thanks,
Maxim
^ permalink raw reply [flat|nested] 11+ messages in thread
* [bug#53461] [kiasoc5@tutanota.com: Rust CVE]
2022-01-23 3:33 ` Maxim Cournoyer
@ 2022-01-23 19:28 ` Leo Famulari
2022-01-24 21:31 ` Maxim Cournoyer
0 siblings, 1 reply; 11+ messages in thread
From: Leo Famulari @ 2022-01-23 19:28 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 53461
On Sat, Jan 22, 2022 at 10:33:52PM -0500, Maxim Cournoyer wrote:
> The rust-1.57 variable should probably be made private or hidden now.
>
> Also, unless we rebuild all crates with rust-1.58, it seems to me like
> we won't be addressing the problem, as the CVE touches the
> 'remove_dir_all' procedure part of the standard library of Rust (and we
> all know Rust likes to build things statically).
>
> Am I missing something?
I don't know about Rust things! I just forwarded this message from the
private list to the public list.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [bug#53461] [kiasoc5@tutanota.com: Rust CVE]
2022-01-23 19:28 ` Leo Famulari
@ 2022-01-24 21:31 ` Maxim Cournoyer
2022-01-25 4:30 ` Leo Famulari
0 siblings, 1 reply; 11+ messages in thread
From: Maxim Cournoyer @ 2022-01-24 21:31 UTC (permalink / raw)
To: Leo Famulari; +Cc: 53461
Hi,
Leo Famulari <leo@famulari.name> writes:
> On Sat, Jan 22, 2022 at 10:33:52PM -0500, Maxim Cournoyer wrote:
>> The rust-1.57 variable should probably be made private or hidden now.
>>
>> Also, unless we rebuild all crates with rust-1.58, it seems to me like
>> we won't be addressing the problem, as the CVE touches the
>> 'remove_dir_all' procedure part of the standard library of Rust (and we
>> all know Rust likes to build things statically).
>>
>> Am I missing something?
>
> I don't know about Rust things! I just forwarded this message from the
> private list to the public list.
OK! I just asked in #rust and they confirmed what I thought (all crates
-- well the ones using 'std::fs::remove_dir_all' but we can't easily
know) needs to be rebuilt if we are to patch that CVE.
Maxim
^ permalink raw reply [flat|nested] 11+ messages in thread
* [bug#53461] [kiasoc5@tutanota.com: Rust CVE]
2022-01-24 21:31 ` Maxim Cournoyer
@ 2022-01-25 4:30 ` Leo Famulari
2022-01-25 23:06 ` Maxim Cournoyer
0 siblings, 1 reply; 11+ messages in thread
From: Leo Famulari @ 2022-01-25 4:30 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 53461
On Mon, Jan 24, 2022 at 04:31:25PM -0500, Maxim Cournoyer wrote:
> OK! I just asked in #rust and they confirmed what I thought (all crates
> -- well the ones using 'std::fs::remove_dir_all' but we can't easily
> know) needs to be rebuilt if we are to patch that CVE.
Okay. Let's see...
------
$ git grep cargo-build-system gnu/packages | wc -l
2152
------
I suppose we could do it quickly on a branch.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [bug#53461] [kiasoc5@tutanota.com: Rust CVE]
2022-01-25 4:30 ` Leo Famulari
@ 2022-01-25 23:06 ` Maxim Cournoyer
2022-01-26 2:57 ` Leo Famulari
0 siblings, 1 reply; 11+ messages in thread
From: Maxim Cournoyer @ 2022-01-25 23:06 UTC (permalink / raw)
To: Leo Famulari; +Cc: 53461
Hello,
Leo Famulari <leo@famulari.name> writes:
> On Mon, Jan 24, 2022 at 04:31:25PM -0500, Maxim Cournoyer wrote:
>> OK! I just asked in #rust and they confirmed what I thought (all crates
>> -- well the ones using 'std::fs::remove_dir_all' but we can't easily
>> know) needs to be rebuilt if we are to patch that CVE.
>
> Okay. Let's see...
>
> ------
> $ git grep cargo-build-system gnu/packages | wc -l
> 2152
> ------
>
> I suppose we could do it quickly on a branch.
Note that Rust is now needed to build all of GTK, at least on x86_64.
That's a rather large rebuild.
Maxim
^ permalink raw reply [flat|nested] 11+ messages in thread
* [bug#53461] [kiasoc5@tutanota.com: Rust CVE]
2022-01-25 23:06 ` Maxim Cournoyer
@ 2022-01-26 2:57 ` Leo Famulari
2022-01-27 21:59 ` Maxim Cournoyer
0 siblings, 1 reply; 11+ messages in thread
From: Leo Famulari @ 2022-01-26 2:57 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 53461
On Tue, Jan 25, 2022 at 06:06:55PM -0500, Maxim Cournoyer wrote:
> > I suppose we could do it quickly on a branch.
>
> Note that Rust is now needed to build all of GTK, at least on x86_64.
> That's a rather large rebuild.
Oh, right.
Well, I wonder what we should do?
^ permalink raw reply [flat|nested] 11+ messages in thread
* [bug#53461] [kiasoc5@tutanota.com: Rust CVE]
2022-01-26 2:57 ` Leo Famulari
@ 2022-01-27 21:59 ` Maxim Cournoyer
0 siblings, 0 replies; 11+ messages in thread
From: Maxim Cournoyer @ 2022-01-27 21:59 UTC (permalink / raw)
To: Leo Famulari; +Cc: 53461
Hello,
Leo Famulari <leo@famulari.name> writes:
> On Tue, Jan 25, 2022 at 06:06:55PM -0500, Maxim Cournoyer wrote:
>> > I suppose we could do it quickly on a branch.
>>
>> Note that Rust is now needed to build all of GTK, at least on x86_64.
>> That's a rather large rebuild.
>
> Oh, right.
>
> Well, I wonder what we should do?
Perhaps a rebuild branch for it... but let's finish migrating to the new
SSD storage first (we're still just copying part of /var/cache into it).
This should give us some time to update the Rust chain to 1.58.1. Would
you or anyone else like to try? It's nothing to difficult; it consists
of moving the tests bits to 1.58.1 (the leaf package), and hide the
previous versions (Rust only support the latest release). Then rebuild
the world with it. We could use this opportunity to ungraft too.
Thanks,
Maxim
^ permalink raw reply [flat|nested] 11+ messages in thread
* [bug#53461] [kiasoc5@tutanota.com: Rust CVE]
2022-01-23 0:29 [bug#53461] [kiasoc5@tutanota.com: Rust CVE] Leo Famulari
2022-01-23 3:33 ` Maxim Cournoyer
@ 2022-02-26 6:07 ` kiasoc5--- via Guix-patches via
2022-02-26 10:35 ` Maxime Devos
1 sibling, 1 reply; 11+ messages in thread
From: kiasoc5--- via Guix-patches via @ 2022-02-26 6:07 UTC (permalink / raw)
To: 53461
[-- Attachment #1: Type: text/plain, Size: 172 bytes --]
Rust 1.59.0 was released, I've updated this patch. Rust 1.59.0 builds fine but I haven't had a chance to rebuild the world yet. Not sure how to do the commit message here.
[-- Attachment #2: 0001-gnu-Add-rust-1.58.patch --]
[-- Type: text/x-patch, Size: 1037 bytes --]
From 9a2a3c79a43f6ebf8d9381cf8aed73ac366e10c9 Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@tutanota.com>
Date: Sat, 22 Jan 2022 19:10:50 -0500
Subject: [PATCH 1/2] gnu: Add rust-1.58.
* gnu/packages/rust.scm (rust-1.58): New variable.
---
gnu/packages/rust.scm | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index 26d6df7a94..9652f331cf 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -784,6 +784,10 @@ (define rust-1.57
`("procps" ,procps)
(package-native-inputs base-rust))))))
+(define rust-1.58
+ (rust-bootstrapped-package
+ rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
+
;;; Note: Only the latest versions of Rust are supported and tested. The
;;; intermediate rusts are built for bootstrapping purposes and should not
;;; be relied upon. This is to ease maintenance and reduce the time
base-commit: e725b24d119b47fcfceb9e9ba79ee832318c289e
--
2.35.1
[-- Attachment #3: 0002-gnu-Add-rust-1.59.patch --]
[-- Type: text/x-patch, Size: 1154 bytes --]
From 8e03a6a0a100c751338c1ddfa8d58fd49316e427 Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@tutanota.com>
Date: Fri, 25 Feb 2022 09:35:56 -0500
Subject: [PATCH 2/2] gnu: Add rust 1.59.
* gnu/packages/rust.scm (rust-1.59): New variable.
---
gnu/packages/rust.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index 9652f331cf..589c8a1b21 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -788,11 +788,14 @@ (define rust-1.58
(rust-bootstrapped-package
rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
+(define rust-1.59
+ (rust-bootstrapped-package
+ rust-1.58 "1.59.0" "1yc5bwcbmbwyvpfq7zvra78l0r8y3lbv60kbr62fzz2vx2pfxj57"))
;;; Note: Only the latest versions of Rust are supported and tested. The
;;; intermediate rusts are built for bootstrapping purposes and should not
;;; be relied upon. This is to ease maintenance and reduce the time
;;; required to build the full Rust bootstrap chain.
-(define-public rust rust-1.57)
+(define-public rust rust-1.59)
(define-public rust-src
(hidden-package
--
2.35.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [bug#53461] [kiasoc5@tutanota.com: Rust CVE]
2022-02-26 6:07 ` kiasoc5--- via Guix-patches via
@ 2022-02-26 10:35 ` Maxime Devos
2022-02-27 6:50 ` kiasoc5--- via Guix-patches via
0 siblings, 1 reply; 11+ messages in thread
From: Maxime Devos @ 2022-02-26 10:35 UTC (permalink / raw)
To: kiasoc5, 53461
[-- Attachment #1: Type: text/plain, Size: 656 bytes --]
kiasoc5--- via Guix-patches via schreef op za 26-02-2022 om 07:07
[+0100]:
> +(define rust-1.59
> + (rust-bootstrapped-package
> + rust-1.58 "1.59.0"
> "1yc5bwcbmbwyvpfq7zvra78l0r8y3lbv60kbr62fzz2vx2pfxj57"))
Is building rust@1.59 with rust@1.58 necessary? Can it be built
with an earlier rust instead? I.e., would
(define rust-1.59 (rust-bootstrapped-package rust-1.57 "1.59.0" [...]))
or even
(define rust-1.59
(package
(inherit rust-1.56)
(source
(origin
(inherit (package-source rust-1.56))
(uri (rust-uri version))
(sha256 (base32 [...]))))))
work?
Greetings,
Maxime.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* [bug#53461] [kiasoc5@tutanota.com: Rust CVE]
2022-02-26 10:35 ` Maxime Devos
@ 2022-02-27 6:50 ` kiasoc5--- via Guix-patches via
0 siblings, 0 replies; 11+ messages in thread
From: kiasoc5--- via Guix-patches via @ 2022-02-27 6:50 UTC (permalink / raw)
To: Maxime Devos, 53461
mrustc v0.10 was just released, and can bootstrap Rust 1.54. It would help to update mrustc first, then we can try to bootstrap 1.59 from 1.54 and hopefully save some compile time :)
Feb 26, 2022, 10:35 by maximedevos@telenet.be:
> kiasoc5--- via Guix-patches via schreef op za 26-02-2022 om 07:07
> [+0100]:
>
>> +(define rust-1.59
>> + (rust-bootstrapped-package
>> + rust-1.58 "1.59.0"
>> "1yc5bwcbmbwyvpfq7zvra78l0r8y3lbv60kbr62fzz2vx2pfxj57"))
>>
>
> Is building rust@1.59 with rust@1.58 necessary? Can it be built
> with an earlier rust instead? I.e., would
>
> (define rust-1.59 (rust-bootstrapped-package rust-1.57 "1.59.0" [...]))
>
> or even
>
> (define rust-1.59
> (package
> (inherit rust-1.56)
> (source
> (origin
> (inherit (package-source rust-1.56))
> (uri (rust-uri version))
> (sha256 (base32 [...]))))))
>
> work?
>
> Greetings,
> Maxime.
>
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2022-02-27 6:52 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-01-23 0:29 [bug#53461] [kiasoc5@tutanota.com: Rust CVE] Leo Famulari
2022-01-23 3:33 ` Maxim Cournoyer
2022-01-23 19:28 ` Leo Famulari
2022-01-24 21:31 ` Maxim Cournoyer
2022-01-25 4:30 ` Leo Famulari
2022-01-25 23:06 ` Maxim Cournoyer
2022-01-26 2:57 ` Leo Famulari
2022-01-27 21:59 ` Maxim Cournoyer
2022-02-26 6:07 ` kiasoc5--- via Guix-patches via
2022-02-26 10:35 ` Maxime Devos
2022-02-27 6:50 ` kiasoc5--- via Guix-patches via
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.