rust-toolset:rhel8 security, bug fix, and enhancement update
エラータID: AXSA:2022-3550:02
リリース日:
2022/07/15 Friday - 06:29
題名:
rust-toolset:rhel8 security, bug fix, and enhancement update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- rust-toolset には、シンボリックリンクの作成と
std::fs::remove_dir_all() 標準ライブラリ関数の実行により
競合状態に至る問題に起因して、攻撃者が本来アクセスや
削除できないファイルやディレクトリを削除できる脆弱性が
あります。(CVE-2022-21568)
Modularity name: rust-toolset
Stream name: rhel8
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-21658
Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.
Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.
追加情報:
N/A
ダウンロード:
SRPMS
- rust-toolset-1.58.1-1.module+el8+1485+441e1838.src.rpm
MD5: fd968b771e2c84bb6f449295ee3173c9
SHA-256: 199fbea8f1344d236ba4a4dbac9a67b494448f89d2c5fd2227ecba492d7714be
Size: 11.84 kB - rust-1.58.1-1.module+el8+1485+441e1838.src.rpm
MD5: 9baf3162bd37598912931af4b3a86c47
SHA-256: c85cdba6f8ed4f5d3066fbdf91cf41a5b0cb80d8a1a2402dce99a2c1581fce3b
Size: 119.84 MB
Asianux Server 8 for x86_64
- rust-toolset-1.58.1-1.module+el8+1485+441e1838.x86_64.rpm
MD5: b41446241772e7fb4103a90fc7406542
SHA-256: 09082425f9e2610049fda9c7d72864c92d12190668948f9cbbe3b5e540692d59
Size: 11.49 kB - rust-debugsource-1.58.1-1.module+el8+1485+441e1838.x86_64.rpm
MD5: 1aaad61703f27a604d54392e710f4fde
SHA-256: 0679eaae17713bb03b8597e222086fcd18a2f4492a3cb369ab6b119b4d52c6bb
Size: 12.12 MB - rust-doc-1.58.1-1.module+el8+1485+441e1838.x86_64.rpm
MD5: 5e27f5379801021e653fd95e6d41a2b8
SHA-256: 26ae0a8a08acbacbf5f65895b00a78d58eec44b742a952b74982fd4be5cc2cfd
Size: 33.79 MB - rust-debugger-common-1.58.1-1.module+el8+1485+441e1838.noarch.rpm
MD5: c79bd8bfc21c76714642933629d4d58f
SHA-256: e71aa05cfb43dc97dc71926df633f2bc5ba91a6c8b9c24ba5cff28293e89ed2e
Size: 12.97 kB - rust-std-static-wasm32-unknown-unknown-1.58.1-1.module+el8+1485+441e1838.x86_64.rpm
MD5: 400a6b86938737f0479d523474c3adc0
SHA-256: 72c9c663d813d446850584ea730bef6046bfcc431fc1d2fe881940b30ee7aff8
Size: 22.10 MB - rustfmt-1.58.1-1.module+el8+1485+441e1838.x86_64.rpm
MD5: 48c6d5f7182f69d38cc7d631458f103e
SHA-256: 6bf6eab97011b12279289d575d9c9830109b79b3fce71ff921d879b57c888089
Size: 2.83 MB - cargo-1.58.1-1.module+el8+1485+441e1838.x86_64.rpm
MD5: d9e0397da2e06b5322156012e3220dc3
SHA-256: 2c5f26366e6800bd69edc818d0fe34416a91c8fa2d5e4530eab4d3d202bdcc24
Size: 4.29 MB - rust-analysis-1.58.1-1.module+el8+1485+441e1838.x86_64.rpm
MD5: ca17568606cfe620098c049c7c981880
SHA-256: 3b69f59b7c1ff3d85cdcb21cd9fff7a5fda464e7239c36dec5e126efe34fe9bc
Size: 3.32 MB - rust-std-static-1.58.1-1.module+el8+1485+441e1838.x86_64.rpm
MD5: da32bfd34296f3432351208eaa7a96cc
SHA-256: 6b4533f0e1cc7fa64b30f697298cf4bc2414b12853a4c48218260acf22e6034d
Size: 25.14 MB - clippy-1.58.1-1.module+el8+1485+441e1838.x86_64.rpm
MD5: 8f9484a88d78356c88fc9e9574ccd23d
SHA-256: 3bdc94dee65f3a005ac2941fa47ab0f6476f293b63a89ebc7d03f94c005d70ba
Size: 2.05 MB - rust-src-1.58.1-1.module+el8+1485+441e1838.noarch.rpm
MD5: 642c532ffa6eb972831034bf7daf9ec1
SHA-256: e39d38ae3d466e927a5dc454887ff80122c7dd90d72e4b358fd9baf20e6daa3a
Size: 3.15 MB - rust-std-static-wasm32-wasi-1.58.1-1.module+el8+1485+441e1838.x86_64.rpm
MD5: eb917826a3c28c3fc7eb5b945d005a27
SHA-256: 2b5e1c71af4cc8608fbab2df332a7eadcef39d9454d3a8df9300d07f8e9055db
Size: 23.41 MB - rust-1.58.1-1.module+el8+1485+441e1838.x86_64.rpm
MD5: 4b404bbf0f8982b42e37a3e34f3efdc0
SHA-256: 862a2d34774e8cb650aef3428617d69fbf3f47d4b95e3c32671e0a08302ee8c1
Size: 27.71 MB - rust-gdb-1.58.1-1.module+el8+1485+441e1838.noarch.rpm
MD5: 4937c1a6f8ac5677f166f974191ee4ae
SHA-256: e00093ef54205a57b9a7c3586a4c446fec8776841bd0bc3ce3e62a292f81cfdc
Size: 16.35 kB - rust-lldb-1.58.1-1.module+el8+1485+441e1838.noarch.rpm
MD5: a2a2afb0b3b1846ce692005f9dd09079
SHA-256: cb12d66c9d0a53b0d82beba9235cc0414cb9086ec9f59d6c4dd6c11a01456731
Size: 18.00 kB - rls-1.58.1-1.module+el8+1485+441e1838.x86_64.rpm
MD5: df77fcb9400fcb930a90bd5e2772d651
SHA-256: 350eafea434f65267cbc71b48d50726e79e43cf1bb458aeb8a9cbc1f8dfb7064
Size: 7.68 MB - cargo-doc-1.58.1-1.module+el8+1485+441e1838.noarch.rpm
MD5: ab523d975a6b6f3704ebed0863ad7a83
SHA-256: a331698bab5b6a3550c977ec11e8cd3313b6341414bc063d85bb9c6311b8fe17
Size: 11.76 kB