rust-toolset:rhel8 security update

エラータID: AXSA:2023-6349:01

Release date: 
Thursday, August 17, 2023 - 12:18
Subject: 
rust-toolset:rhel8 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Rust Toolset provides the Rust programming language compiler rustc, the cargo
build tool and dependency manager, and required libraries.

Security Fix(es):

* rust-cargo: cargo does not respect the umask when extracting dependencies
(CVE-2023-38497)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2023-38497
Cargo downloads the Rust project’s dependencies and compiles the project.
Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did
not respect the umask when extracting crate archives on UNIX-like systems. If
the user downloaded a crate containing files writeable by any local user,
another local user could exploit this to change the source code compiled and
executed by the current user. To prevent existing cached extractions from being
exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later
will purge caches generated by older Cargo versions automatically. As a
workaround, configure one's system to prevent other local users from accessing
the Cargo directory, usually located in `~/.cargo`.

Modularity name: rust-toolset
Stream name: rhel8

Solution: 

Update packages.

CVEs: 
CVE-2023-38497
Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.
Additional Info: 

N/A

Download: 

SRPMS
  1. rust-1.66.1-2.module+el8+1654+241c134b.src.rpm
    MD5: e5a167ccb43dd8f3043c7712cca0230e
    SHA-256: eee69b9e5f694bd16954582ecb5bd90fb5fd9024707f5d316ca3e691da6bceb5
    Size: 136.46 MB

Asianux Server 8 for x86_64
  1. cargo-1.66.1-2.module+el8+1654+241c134b.x86_64.rpm
    MD5: e8751dd86573b679d1831efe12ea3da3
    SHA-256: 8f84d6282f465064343ad589d5ceac131d3490e3b47e5a68e1edc76fd94cfacf
    Size: 4.73 MB
  2. clippy-1.66.1-2.module+el8+1654+241c134b.x86_64.rpm
    MD5: 851ce531696f116d757ed24d28a49af4
    SHA-256: 7c603569f679aa90d8720385e36776d834a2d194a70ababa1f11564382b9054b
    Size: 2.57 MB
  3. rust-1.66.1-2.module+el8+1654+241c134b.x86_64.rpm
    MD5: 669db1ea439d64a133c0b6b12a90057d
    SHA-256: 8cf97230dfac9dc7de5930bcf961580ee09f881c4a8b379ff916cd28b6b31c83
    Size: 28.31 MB
  4. rust-analysis-1.66.1-2.module+el8+1654+241c134b.x86_64.rpm
    MD5: 1ca9184db18b0f96176e2c4680e58301
    SHA-256: c4eee53bb031570d9963e4676afdbf0fbcb2122d3811085ce15770d9c8e7c559
    Size: 3.86 MB
  5. rust-analyzer-1.66.1-2.module+el8+1654+241c134b.x86_64.rpm
    MD5: 28f42c35f6406b8dcf68663ab7ea265a
    SHA-256: 1bcb5b4ecbad4bdf320f3ee4f820017078e6657fe463c707b60199d80ea2d560
    Size: 7.66 MB
  6. rust-debugger-common-1.66.1-2.module+el8+1654+241c134b.noarch.rpm
    MD5: ce96b67bbd4a5efadb32b2d4f0cd487f
    SHA-256: 508c1492817a0762d60678c12282c108ecfbf841fbe333351bb469b16b449c2f
    Size: 13.93 kB
  7. rust-debugsource-1.66.1-2.module+el8+1654+241c134b.x86_64.rpm
    MD5: b91aca0e72212a291c2894ce689cbe0a
    SHA-256: 30765cff48c766bb8aab4d9dda9e104eb7a949da15b6852ec27854913dc8008f
    Size: 14.16 MB
  8. rust-doc-1.66.1-2.module+el8+1654+241c134b.x86_64.rpm
    MD5: 74efb8d610ee9ead3f9dd81124b15c5f
    SHA-256: 78dfa022525c37191d23ef82c0c6e63587e359b478ffcce681d67920136c4a8b
    Size: 37.22 MB
  9. rustfmt-1.66.1-2.module+el8+1654+241c134b.x86_64.rpm
    MD5: 3a98a14fbe4dc6e7d6aeb27c625945f6
    SHA-256: 15029aae8c4d05dfff57437da05a6921dc3f78699e1844e0c6416575dc674838
    Size: 3.12 MB
  10. rust-gdb-1.66.1-2.module+el8+1654+241c134b.noarch.rpm
    MD5: ac07b11011fd8febe45669fccd2f9e47
    SHA-256: 34bbdaf9d896c0507febc547293d1e4b2bd3833ba87b85cc11fd9163b385b17a
    Size: 17.43 kB
  11. rust-lldb-1.66.1-2.module+el8+1654+241c134b.noarch.rpm
    MD5: 47b676c6c5ecc0339d6637b96becd571
    SHA-256: 4aa70a5532f867bfa45943e1784eb15731a6eda138b1156409dc8b0fdf30a5b8
    Size: 19.03 kB
  12. rust-src-1.66.1-2.module+el8+1654+241c134b.noarch.rpm
    MD5: 56909bad7e828b56a6589303559d0605
    SHA-256: f4a78807f77a617decf0cdef6413c99d9086bb3ee93ac9f390ef230e4ec4ff1c
    Size: 2.83 MB
  13. rust-std-static-1.66.1-2.module+el8+1654+241c134b.x86_64.rpm
    MD5: a55c43cd26ac9c110d5a18349c1dbdbe
    SHA-256: efb1a0d8544d6cd948469db67c4ad5156c4fc6d7a99a6b0d7e1adbdb5ce07201
    Size: 29.05 MB
  14. rust-std-static-wasm32-unknown-unknown-1.66.1-2.module+el8+1654+241c134b.x86_64.rpm
    MD5: 5cde80e33735e9ba9205941a431bfd2a
    SHA-256: a22609f921880db4a6f59b6b108a8636a297bebf259d1a3764d1cc6a41999862
    Size: 25.67 MB
  15. rust-std-static-wasm32-wasi-1.66.1-2.module+el8+1654+241c134b.x86_64.rpm
    MD5: d7fab45e2dd63776299be04f360b86e5
    SHA-256: 9c36f3766877c14bb02cbe99c6604a0c2b79366313cfe8a287a10c916210ab9f
    Size: 26.64 MB
  16. rust-toolset-1.66.1-2.module+el8+1654+241c134b.x86_64.rpm
    MD5: 0c2f2194d1e53d5e9234a20339510c83
    SHA-256: de9e4af6a0f9d244f8b38cd0a25cacee5cc375841f6be3f093ca91b709c3dda1
    Size: 13.59 kB