[kiasoc5@tutanota.com: Rust CVE]

  • Done
  • quality assurance status badge
Details
5 participants
  • kiasoc5
  • Leo Famulari
  • Liliana Marie Prikler
  • Maxim Cournoyer
  • Maxime Devos
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
Merged with
L
L
Leo Famulari wrote on 23 Jan 2022 01:29
(address . guix-patches@gnu.org)
YeyhhR4Mxc+GzETW@jasmine.lan
----- Forwarded message from kiasoc5@tutanota.com -----

Date: Sun, 23 Jan 2022 01:20:10 +0100 (CET)
From: kiasoc5@tutanota.com
To: guix-security@gnu.org
Subject: Rust CVE

Hi,

Rust has a new cve that is only mitigated by upgrading to Rust 1.58+.


Attached is a patch that adds rust-1.58.1. It doesn't replace the default as I'm not sure whether this should be grafted or not.

Thanks
kiasoc5

From 753f4e9c68a7b12267989d1721e97841d9f499d0 Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@tutanota.com>
Date: Sat, 22 Jan 2022 19:10:50 -0500
Subject: [PATCH] gnu: Add rust-1.58.

* gnu/packages/rust.scm (rust-1.58): New variable.
---
gnu/packages/rust.scm | 4 ++++
1 file changed, 4 insertions(+)

Toggle diff (23 lines)
diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index 5a6d4a5c30..c9b44da844 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -784,6 +784,10 @@ (define rust-1.57
`("procps" ,procps)
(package-native-inputs base-rust))))))
+(define rust-1.58
+ (rust-bootstrapped-package
+ rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
+
;;; Note: Only the latest versions of Rust are supported and tested. The
;;; intermediate rusts are built for bootstrapping purposes and should not
;;; be relied upon. This is to ease maintenance and reduce the time

base-commit: dfc32d8d997da74a6e838b450649bd89905ffdc3
--
2.34.1



----- End forwarded message -----
M
M
Maxim Cournoyer wrote on 23 Jan 2022 04:33
(name . Leo Famulari)(address . leo@famulari.name)(address . 53461@debbugs.gnu.org)
87ilub6s7z.fsf@gmail.com
Hi Leo,

Leo Famulari <leo@famulari.name> writes:

Toggle quote (40 lines)
> From: kiasoc5@tutanota.com
> Subject: Rust CVE
> To: guix-security@gnu.org
> Date: Sun, 23 Jan 2022 01:20:10 +0100 (CET) (3 hours, 7 minutes ago)
>
> Hi,
>
> Rust has a new cve that is only mitigated by upgrading to Rust 1.58+.
>
> https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html
>
> Attached is a patch that adds rust-1.58.1. It doesn't replace the
> default as I'm not sure whether this should be grafted or not.
>
> Thanks
> kiasoc5
>
>>From 753f4e9c68a7b12267989d1721e97841d9f499d0 Mon Sep 17 00:00:00 2001
> From: kiasoc5 <kiasoc5@tutanota.com>
> Date: Sat, 22 Jan 2022 19:10:50 -0500
> Subject: [PATCH] gnu: Add rust-1.58.
>
> * gnu/packages/rust.scm (rust-1.58): New variable.
> ---
> gnu/packages/rust.scm | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
> index 5a6d4a5c30..c9b44da844 100644
> --- a/gnu/packages/rust.scm
> +++ b/gnu/packages/rust.scm
> @@ -784,6 +784,10 @@ (define rust-1.57
> `("procps" ,procps)
> (package-native-inputs base-rust))))))
>
> +(define rust-1.58
> + (rust-bootstrapped-package
> + rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
> +

The rust-1.57 variable should probably be made private or hidden now.

Also, unless we rebuild all crates with rust-1.58, it seems to me like
we won't be addressing the problem, as the CVE touches the
'remove_dir_all' procedure part of the standard library of Rust (and we
all know Rust likes to build things statically).

Am I missing something?

Thanks,

Maxim
L
L
Leo Famulari wrote on 23 Jan 2022 20:28
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 53461@debbugs.gnu.org)
Ye2sclMdhTU/E5xE@jasmine.lan
On Sat, Jan 22, 2022 at 10:33:52PM -0500, Maxim Cournoyer wrote:
Toggle quote (9 lines)
> The rust-1.57 variable should probably be made private or hidden now.
>
> Also, unless we rebuild all crates with rust-1.58, it seems to me like
> we won't be addressing the problem, as the CVE touches the
> 'remove_dir_all' procedure part of the standard library of Rust (and we
> all know Rust likes to build things statically).
>
> Am I missing something?

I don't know about Rust things! I just forwarded this message from the
private list to the public list.
M
M
Maxim Cournoyer wrote on 24 Jan 2022 22:31
(name . Leo Famulari)(address . leo@famulari.name)(address . 53461@debbugs.gnu.org)
87ee4w6csy.fsf@gmail.com
Hi,

Leo Famulari <leo@famulari.name> writes:

Toggle quote (13 lines)
> On Sat, Jan 22, 2022 at 10:33:52PM -0500, Maxim Cournoyer wrote:
>> The rust-1.57 variable should probably be made private or hidden now.
>>
>> Also, unless we rebuild all crates with rust-1.58, it seems to me like
>> we won't be addressing the problem, as the CVE touches the
>> 'remove_dir_all' procedure part of the standard library of Rust (and we
>> all know Rust likes to build things statically).
>>
>> Am I missing something?
>
> I don't know about Rust things! I just forwarded this message from the
> private list to the public list.

OK! I just asked in #rust and they confirmed what I thought (all crates
-- well the ones using 'std::fs::remove_dir_all' but we can't easily
know) needs to be rebuilt if we are to patch that CVE.

Maxim
L
L
Leo Famulari wrote on 25 Jan 2022 05:30
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 53461@debbugs.gnu.org)
Ye99A70hzK4zXHgO@jasmine.lan
On Mon, Jan 24, 2022 at 04:31:25PM -0500, Maxim Cournoyer wrote:
Toggle quote (4 lines)
> OK! I just asked in #rust and they confirmed what I thought (all crates
> -- well the ones using 'std::fs::remove_dir_all' but we can't easily
> know) needs to be rebuilt if we are to patch that CVE.

Okay. Let's see...

------
$ git grep cargo-build-system gnu/packages | wc -l
2152
------

I suppose we could do it quickly on a branch.
M
M
Maxim Cournoyer wrote on 26 Jan 2022 00:06
(name . Leo Famulari)(address . leo@famulari.name)(address . 53461@debbugs.gnu.org)
87ee4v4dps.fsf@gmail.com
Hello,

Leo Famulari <leo@famulari.name> writes:

Toggle quote (14 lines)
> On Mon, Jan 24, 2022 at 04:31:25PM -0500, Maxim Cournoyer wrote:
>> OK! I just asked in #rust and they confirmed what I thought (all crates
>> -- well the ones using 'std::fs::remove_dir_all' but we can't easily
>> know) needs to be rebuilt if we are to patch that CVE.
>
> Okay. Let's see...
>
> ------
> $ git grep cargo-build-system gnu/packages | wc -l
> 2152
> ------
>
> I suppose we could do it quickly on a branch.

Note that Rust is now needed to build all of GTK, at least on x86_64.
That's a rather large rebuild.

Maxim
L
L
Leo Famulari wrote on 26 Jan 2022 03:57
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 53461@debbugs.gnu.org)
YfC4km4gTGOaevY+@jasmine.lan
On Tue, Jan 25, 2022 at 06:06:55PM -0500, Maxim Cournoyer wrote:
Toggle quote (5 lines)
> > I suppose we could do it quickly on a branch.
>
> Note that Rust is now needed to build all of GTK, at least on x86_64.
> That's a rather large rebuild.

Oh, right.

Well, I wonder what we should do?
M
M
Maxim Cournoyer wrote on 27 Jan 2022 22:59
(name . Leo Famulari)(address . leo@famulari.name)(address . 53461@debbugs.gnu.org)
87mtjgzvoz.fsf@gmail.com
Hello,

Leo Famulari <leo@famulari.name> writes:

Toggle quote (10 lines)
> On Tue, Jan 25, 2022 at 06:06:55PM -0500, Maxim Cournoyer wrote:
>> > I suppose we could do it quickly on a branch.
>>
>> Note that Rust is now needed to build all of GTK, at least on x86_64.
>> That's a rather large rebuild.
>
> Oh, right.
>
> Well, I wonder what we should do?

Perhaps a rebuild branch for it... but let's finish migrating to the new
SSD storage first (we're still just copying part of /var/cache into it).

This should give us some time to update the Rust chain to 1.58.1. Would
you or anyone else like to try? It's nothing to difficult; it consists
of moving the tests bits to 1.58.1 (the leaf package), and hide the
previous versions (Rust only support the latest release). Then rebuild
the world with it. We could use this opportunity to ungraft too.

Thanks,

Maxim
K
K
kiasoc5 wrote on 26 Feb 2022 07:07
RE: [kiasoc5@tutanota.com: Rust CVE]
(address . 53461@debbugs.gnu.org)
MwocHBM--3-2@tutanota.com
Rust 1.59.0 was released, I've updated this patch. Rust 1.59.0 builds fine but I haven't had a chance to rebuild the world yet. Not sure how to do the commit message here.
From 9a2a3c79a43f6ebf8d9381cf8aed73ac366e10c9 Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@tutanota.com>
Date: Sat, 22 Jan 2022 19:10:50 -0500
Subject: [PATCH 1/2] gnu: Add rust-1.58.

* gnu/packages/rust.scm (rust-1.58): New variable.
---
gnu/packages/rust.scm | 4 ++++
1 file changed, 4 insertions(+)

Toggle diff (19 lines)
diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index 26d6df7a94..9652f331cf 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -784,6 +784,10 @@ (define rust-1.57
`("procps" ,procps)
(package-native-inputs base-rust))))))
+(define rust-1.58
+ (rust-bootstrapped-package
+ rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
+
;;; Note: Only the latest versions of Rust are supported and tested. The
;;; intermediate rusts are built for bootstrapping purposes and should not
;;; be relied upon. This is to ease maintenance and reduce the time

base-commit: e725b24d119b47fcfceb9e9ba79ee832318c289e
--
2.35.1
From 8e03a6a0a100c751338c1ddfa8d58fd49316e427 Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@tutanota.com>
Date: Fri, 25 Feb 2022 09:35:56 -0500
Subject: [PATCH 2/2] gnu: Add rust 1.59.

* gnu/packages/rust.scm (rust-1.59): New variable.
---
gnu/packages/rust.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

Toggle diff (22 lines)
diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index 9652f331cf..589c8a1b21 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -788,11 +788,14 @@ (define rust-1.58
(rust-bootstrapped-package
rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
+(define rust-1.59
+ (rust-bootstrapped-package
+ rust-1.58 "1.59.0" "1yc5bwcbmbwyvpfq7zvra78l0r8y3lbv60kbr62fzz2vx2pfxj57"))
;;; Note: Only the latest versions of Rust are supported and tested. The
;;; intermediate rusts are built for bootstrapping purposes and should not
;;; be relied upon. This is to ease maintenance and reduce the time
;;; required to build the full Rust bootstrap chain.
-(define-public rust rust-1.57)
+(define-public rust rust-1.59)
(define-public rust-src
(hidden-package
--
2.35.1
M
M
Maxime Devos wrote on 26 Feb 2022 11:35
Re: [bug#53461] [kiasoc5@tutanota.com: Rust CVE]
1174c7a10cf26efa69c9e2ee31d8f115cf65e851.camel@telenet.be
kiasoc5--- via Guix-patches via schreef op za 26-02-2022 om 07:07
[+0100]:
Toggle quote (5 lines)
> +(define rust-1.59
> +  (rust-bootstrapped-package
> +   rust-1.58 "1.59.0"
> "1yc5bwcbmbwyvpfq7zvra78l0r8y3lbv60kbr62fzz2vx2pfxj57"))

Is building rust@1.59 with rust@1.58 necessary? Can it be built
with an earlier rust instead? I.e., would

(define rust-1.59 (rust-bootstrapped-package rust-1.57 "1.59.0" [...]))

or even

(define rust-1.59 
(package
(inherit rust-1.56)
(source
(origin
(inherit (package-source rust-1.56))
(uri (rust-uri version))
(sha256 (base32 [...]))))))

work?

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYhoCfhccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7sUeAPwPLjc4OmkfdjHdYe5WMKQZ7WG2
47mr066g70NielY/+gEAyaSKn5L2vCNE9DNlEtkTJWOOLcaewYP2dtNAUDGyOQo=
=vpCK
-----END PGP SIGNATURE-----


K
K
kiasoc5 wrote on 27 Feb 2022 07:50
(name . 53461)(address . 53461@debbugs.gnu.org)
MwtwWAK--3-2@tutanota.com
mrustc v0.10 was just released, and can bootstrap Rust 1.54. It would help to update mrustc first, then we can try to bootstrap 1.59 from 1.54 and hopefully save some compile time :)


Feb 26, 2022, 10:35 by maximedevos@telenet.be:

Toggle quote (30 lines)
> kiasoc5--- via Guix-patches via schreef op za 26-02-2022 om 07:07
> [+0100]:
>
>> +(define rust-1.59
>> +  (rust-bootstrapped-package
>> +   rust-1.58 "1.59.0"
>> "1yc5bwcbmbwyvpfq7zvra78l0r8y3lbv60kbr62fzz2vx2pfxj57"))
>>
>
> Is building rust@1.59 with rust@1.58 necessary? Can it be built
> with an earlier rust instead? I.e., would
>
> (define rust-1.59 (rust-bootstrapped-package rust-1.57 "1.59.0" [...]))
>
> or even
>
> (define rust-1.59 
> (package
> (inherit rust-1.56)
> (source
> (origin
> (inherit (package-source rust-1.56))
> (uri (rust-uri version))
> (sha256 (base32 [...]))))))
>
> work?
>
> Greetings,
> Maxime.
>
L
L
Liliana Marie Prikler wrote on 18 Mar 2022 08:11
(address . control@debbugs.gnu.org)(address . paul@unnservice.com)
4d213332a2f29554b7ce8228eda9d45bf9a41f45.camel@ist.tugraz.at
merge 54439 53461
thanks

Note that Rust is a silent world rebuild. Thanks, cargo.
M
M
Maxime Devos wrote on 22 Jul 2022 02:09
(address . control@debbugs.gnu.org)
c27ef8a0-0b8b-3480-1a73-70223ee22ac2@telenet.be
merge 54439 56684
thanks
You aren't bumping the version but adding a new version of the Rust
package, the old one is still there. Also, conventionally it is named
updating in Guix, and a commit message is missing. For examples see the
git history.
Are all the intermediate steps needed, or could you reduce the number of
new intermediate packages?
E.g., you could try going directly from 1.57 to 1.60 without
intermediate steps. If that's possible, it would be less inefficient to
compile.
Also, there are already patches for updating rust, see
already existing patches before posting duplicates, to avoid double
work, etc.
Greetings,
Maxime.
Attachment: OpenPGP_signature
?