rust-1.66.1-2.el9

エラータID: AXSA:2023-6341:10

Release date: 
Wednesday, August 16, 2023 - 13:23
Subject: 
rust-1.66.1-2.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries.

Security Fix(es):

* rust-cargo: cargo does not respect the umask when extracting dependencies (CVE-2023-38497)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-38497
Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.

Solution: 

Update packages.

CVEs: 
CVE-2023-38497
Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.
Additional Info: 

N/A

Download: 

SRPMS
  1. rust-1.66.1-2.el9.src.rpm
    MD5: d22ad11db0979155064177c803041b4c
    SHA-256: 85b7eed4c3fa121137728a19c62187bd4663ee49e27560d323728fb97b3c0477
    Size: 136.46 MB

Asianux Server 9 for x86_64
  1. cargo-1.66.1-2.el9.x86_64.rpm
    MD5: a33cc80434f36ec5f29f814048750a1b
    SHA-256: c57d914447a5338e941b18d783e554284424a0e5f8f6cc999816f22d54f2642c
    Size: 4.67 MB
  2. clippy-1.66.1-2.el9.x86_64.rpm
    MD5: e6b507f118c79c2631e09681933aaad3
    SHA-256: 94d5145ea143400e76b588bec8adf058f9b3fc6451cbe32c600375f187bd889b
    Size: 2.52 MB
  3. rust-1.66.1-2.el9.x86_64.rpm
    MD5: 47eff1a2f68eec527b08d9fefa18edf5
    SHA-256: d291c4602572af00ea2d65c3ee1458e0051ef1c181a244669b6afa38d79b5005
    Size: 27.30 MB
  4. rust-analysis-1.66.1-2.el9.x86_64.rpm
    MD5: 3745d37e8e5095a85cd41581dc702b96
    SHA-256: 783585d0e7588e87e788beccd0958bb4f111319189b0151f5bc267ba5cdd13bc
    Size: 3.27 MB
  5. rust-analyzer-1.66.1-2.el9.x86_64.rpm
    MD5: 33c0c96db1d0a524324f2e7a862861e5
    SHA-256: 594bce033a08ba7956db05ae4673e6e257d358705bbf1feaa2d6abdd54c39256
    Size: 7.48 MB
  6. rust-debugger-common-1.66.1-2.el9.noarch.rpm
    MD5: 64f19e3208b562a3a38dd88b6a29f3e4
    SHA-256: 2f9bd17e5ad28849d61bf273eff89682f9e605e96c1b8010c7d07fe2de3633fc
    Size: 9.53 kB
  7. rust-doc-1.66.1-2.el9.x86_64.rpm
    MD5: 8f05ba840eaca16e4e17bbb46f7cdaf1
    SHA-256: 2b8e16704bc7f0b8c02c95d9b2a36ff0108b167230fae8ae9dae9f2456130695
    Size: 27.99 MB
  8. rustfmt-1.66.1-2.el9.x86_64.rpm
    MD5: 351e95492cd5bdf369ea397a3fe47022
    SHA-256: 6a6351a57ed253438d8b847f076c7f12ea168f6e9809f7e8c095e6915a65a8e1
    Size: 2.93 MB
  9. rust-gdb-1.66.1-2.el9.noarch.rpm
    MD5: 102a47130722db99d773be2578045c56
    SHA-256: 773c9a01bba7e89e12529a915d2e32304ae56d2ccd33ef7d393ec8ac6279867b
    Size: 12.90 kB
  10. rust-lldb-1.66.1-2.el9.noarch.rpm
    MD5: 2aa8ea7153f9b8c3a6eed09068b6a940
    SHA-256: 712edfdda0c8da2ca27cf8deeeb7e06a1554dec1ef4ed2e2e5b9e1d905e60c18
    Size: 14.36 kB
  11. rust-src-1.66.1-2.el9.noarch.rpm
    MD5: 4d03a1d211b65586a13545c28a1faa6a
    SHA-256: b41df7e101b6f898e37191e4c4ad51697c6bf13c1ca96d4b43084a021e22d7ad
    Size: 2.44 MB
  12. rust-std-static-1.66.1-2.el9.i686.rpm
    MD5: 61d4cc908d9830f3204ea12cc89e6472
    SHA-256: ba9f4f1f2fda47ff56a4613894025bf848c22f95025c4212b7ef611e0111d1ca
    Size: 29.53 MB
  13. rust-std-static-1.66.1-2.el9.x86_64.rpm
    MD5: fe0c79c0a802648c113f3817be2177de
    SHA-256: 3ed27f5702cb7330c79fc9f64e0b6a2986a75b8256321f329832aefa5c34aa28
    Size: 29.82 MB
  14. rust-std-static-wasm32-unknown-unknown-1.66.1-2.el9.noarch.rpm
    MD5: afefec5736a376ef886136d60e8d717f
    SHA-256: f8e8e30d81d64e4424f0a5c33517589fc137c801c970a33b25514caa64a6c519
    Size: 26.24 MB
  15. rust-std-static-wasm32-wasi-1.66.1-2.el9.noarch.rpm
    MD5: 43b68d6aedc5115783774ba4ff783803
    SHA-256: 6cd480e796b7feb2eb460b0b21ac93301de21e4a4db9a848152a2327be85c118
    Size: 27.14 MB
  16. rust-toolset-1.66.1-2.el9.x86_64.rpm
    MD5: 36c5e1ba5c29e4650c17d65f53d152fb
    SHA-256: 71118d60e76263a240f9999355cc5e674db7038b88426c56241f230f9734dd32
    Size: 9.13 kB